CVE-2025-67494 Overview
CVE-2025-67494 is a Server-Side Request Forgery (SSRF) vulnerability affecting ZITADEL, an open-source identity infrastructure tool. The vulnerability exists in the ZITADEL Login UI (V2), which improperly treats the x-zitadel-forward-host header as a trusted fallback for all deployments, including self-hosted instances. This design flaw allows an unauthenticated attacker to force the server to make HTTP requests to arbitrary domains, including internal network addresses, and read the responses. The vulnerability enables data exfiltration and bypassing of network-segmentation controls without requiring any authentication.
Critical Impact
Unauthenticated attackers can exploit this full-read SSRF vulnerability to access internal services, exfiltrate sensitive data, and bypass network segmentation controls in self-hosted ZITADEL deployments.
Affected Products
- ZITADEL versions 4.7.0 and below
- ZITADEL Login UI (V2) on self-hosted instances
- All deployment configurations using the vulnerable x-zitadel-forward-host header handling
Discovery Timeline
- 2025-12-09 - CVE-2025-67494 published to NVD
- 2025-12-19 - Last updated in NVD database
Technical Details for CVE-2025-67494
Vulnerability Analysis
This vulnerability is classified under CWE-918 (Server-Side Request Forgery). The ZITADEL Login UI (V2) contains a flaw in how it handles host header resolution. The application trusts the x-zitadel-forward-host header as a fallback mechanism across all deployment types, rather than restricting this behavior to specific trusted environments. This allows attackers to manipulate the header value to redirect server-side HTTP requests to arbitrary destinations, including internal network resources that should be protected by network segmentation.
The full-read nature of this SSRF means attackers can not only trigger requests but also receive and read the complete responses from targeted internal services. This significantly amplifies the impact compared to blind SSRF vulnerabilities, as sensitive data from internal APIs, metadata services, and other protected endpoints can be directly exfiltrated.
Root Cause
The root cause of CVE-2025-67494 lies in the centralized host header resolution logic within the ZITADEL Login UI. The application fails to properly validate or restrict the x-zitadel-forward-host header, treating it as trusted input regardless of the deployment context. This design assumption was appropriate for certain cloud-managed environments but creates a significant security gap when applied to self-hosted instances where the header can be directly controlled by external attackers.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker can craft HTTP requests to the ZITADEL Login UI with a malicious x-zitadel-forward-host header value pointing to internal addresses (e.g., 169.254.169.254 for cloud metadata services, internal API endpoints, or other network resources). The server processes this header and makes requests to the attacker-specified destination, returning the response content to the attacker. This enables reconnaissance of internal networks, access to sensitive configuration data, and potential pivoting to other internal services.
/// <reference types="next" />
/// <reference types="next/image-types/global" />
+/// <reference path="./.next/types/routes.d.ts" />
// NOTE: This file should not be edited
// see https://nextjs.org/docs/app/api-reference/config/typescript for more information.
Source: GitHub Commit Details
The patch centralizes host header resolution and implements proper validation to prevent arbitrary header forwarding. Additional configuration changes were made to the Next.js setup:
output: process.env.NEXT_OUTPUT_MODE || undefined,
reactStrictMode: true,
experimental: {
- dynamicIO: true,
// Add React 19 compatibility optimizations
optimizePackageImports: ['@radix-ui/react-tooltip', '@heroicons/react'],
- },
- eslint: {
- ignoreDuringBuilds: true,
+ useCache: true,
},
// Improve SSR stability - not actually needed for React 19 SSR issues
// onDemandEntries: {
Source: GitHub Commit Details
Detection Methods for CVE-2025-67494
Indicators of Compromise
- Unusual outbound HTTP requests from ZITADEL servers to internal IP ranges (e.g., 10.x.x.x, 172.16.x.x, 192.168.x.x, 169.254.x.x)
- HTTP requests containing suspicious x-zitadel-forward-host header values pointing to internal services or cloud metadata endpoints
- Abnormal response sizes or patterns from the ZITADEL Login UI endpoints
- Access logs showing requests with x-zitadel-forward-host headers containing IP addresses or internal hostnames
Detection Strategies
- Implement web application firewall (WAF) rules to inspect and block requests with suspicious x-zitadel-forward-host header values
- Configure network monitoring to detect ZITADEL server connections to internal network ranges that are not part of normal operation
- Enable detailed logging for the ZITADEL Login UI to capture all incoming headers for forensic analysis
- Deploy intrusion detection rules to alert on SSRF patterns targeting cloud metadata services (e.g., 169.254.169.254)
Monitoring Recommendations
- Monitor egress traffic from ZITADEL servers for connections to unexpected internal or external destinations
- Set up alerts for HTTP requests to the Login UI that include x-zitadel-forward-host headers from untrusted sources
- Review ZITADEL access logs regularly for patterns consistent with SSRF exploitation attempts
- Implement network segmentation monitoring to detect any bypass attempts from the ZITADEL application tier
How to Mitigate CVE-2025-67494
Immediate Actions Required
- Upgrade ZITADEL to version 4.7.1 or later immediately to apply the security fix
- Review access logs for any evidence of exploitation attempts targeting the x-zitadel-forward-host header
- Implement network-level controls to restrict outbound connections from ZITADEL servers to only required destinations
- Configure a reverse proxy or WAF to strip or validate the x-zitadel-forward-host header before it reaches the ZITADEL application
Patch Information
The vulnerability is fixed in ZITADEL version 4.7.1. The patch centralizes host header resolution and implements proper validation to prevent arbitrary header forwarding to internal APIs. Organizations should upgrade to the patched version as soon as possible. The fix is available in commit 4c879b47334e01d4fcab921ac1b44eda39acdb96. For additional details, refer to the GitHub Security Advisory GHSA-7wfc-4796-gmg5.
Workarounds
- Deploy a reverse proxy or WAF in front of ZITADEL that strips the x-zitadel-forward-host header from all incoming requests
- Implement network segmentation to prevent ZITADEL servers from reaching sensitive internal services even if SSRF is exploited
- Configure firewall rules to block outbound connections from ZITADEL to internal network ranges and cloud metadata services
- If upgrading is not immediately possible, consider temporarily restricting access to the ZITADEL Login UI to trusted networks only
# Example nginx configuration to strip the vulnerable header
location / {
proxy_pass http://zitadel-backend;
proxy_set_header x-zitadel-forward-host "";
# Additional security headers
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
