CVE-2025-67495 Overview
CVE-2025-67495 is a DOM-Based Cross-Site Scripting (XSS) vulnerability in ZITADEL, an open-source identity infrastructure platform. The flaw affects versions 4.0.0-rc.1 through 4.7.0 and resides in the Zitadel V2 /logout endpoint. The endpoint insecurely routes to a value supplied via the post_logout_redirect GET parameter, allowing an unauthenticated remote attacker to execute arbitrary JavaScript in a victim's browser. Exploitation requires user interaction and multiple active user sessions in the same browser. The issue is fixed in version 4.7.1.
Critical Impact
Attackers can execute malicious JavaScript in the context of Zitadel users, enabling session-based account takeover unless Multi-Factor Authentication (MFA) or passwordless authentication is enforced.
Affected Products
- ZITADEL versions 4.0.0-rc.1 through 4.7.0
- ZITADEL V2 login application (/logout endpoint)
- Deployments not enforcing MFA or passwordless authentication
Discovery Timeline
- 2025-12-09 - CVE-2025-67495 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-67495
Vulnerability Analysis
The vulnerability is classified as DOM-Based Cross-Site Scripting under [CWE-79]. The Zitadel V2 login application exposes a /logout endpoint that consumes the post_logout_redirect query parameter without validating or sanitizing its content. Because the value flows into a client-side routing sink, an attacker can supply a JavaScript URI or crafted payload that executes when the browser processes the logout flow.
Exploitation is unauthenticated but requires the victim to click a malicious link and to have multiple active Zitadel sessions in the same browser. Successful exploitation leads to script execution under the Zitadel origin, exposing tokens and session context. Account takeover risk is reduced when MFA or passwordless authentication is required at reauthentication.
Root Cause
The root cause is missing validation of the post_logout_redirect parameter in the V2 logout handler. User-controlled input reaches a navigation sink that treats the value as a trusted redirect target. The upstream fix centralizes host header resolution and forwards headers to APIs, reducing the trust placed in client-supplied routing values.
Attack Vector
The attack vector is network-based and requires user interaction. An attacker crafts a URL to the vulnerable /logout endpoint with a malicious post_logout_redirect value and delivers it via phishing, a malicious website, or an embedded link. When the victim, who has multiple Zitadel sessions active in the same browser, follows the link, the injected JavaScript executes in the Zitadel origin context.
// Security patch in apps/login/next-env.d.ts
/// <reference types="next" />
/// <reference types="next/image-types/global" />
+/// <reference path="./.next/types/routes.d.ts" />
// NOTE: This file should not be edited
// see https://nextjs.org/docs/app/api-reference/config/typescript for more information.
Source: GitHub Commit 4c879b4
Detection Methods for CVE-2025-67495
Indicators of Compromise
- Requests to the /logout endpoint containing suspicious post_logout_redirect values such as javascript:, data:, or encoded script payloads.
- Unexpected outbound requests from Zitadel user sessions immediately after logout events.
- HTTP referrer chains showing external phishing domains leading to Zitadel /logout URLs.
Detection Strategies
- Inspect web server and reverse proxy logs for /logout requests where post_logout_redirect contains non-allowlisted schemes or hostnames.
- Deploy Content Security Policy (CSP) reporting to capture inline script execution attempts on Zitadel origins.
- Correlate authentication events with anomalous session token usage across geolocations after logout attempts.
Monitoring Recommendations
- Alert on Zitadel deployments still running versions 4.0.0-rc.1 through 4.7.0.
- Monitor for repeated logout requests with parameter tampering signatures against identity infrastructure.
- Track user reports of unexpected redirects or browser prompts following authentication flows.
How to Mitigate CVE-2025-67495
Immediate Actions Required
- Upgrade ZITADEL to version 4.7.1 or later, which contains the fix in commit 4c879b4.
- Enforce Multi-Factor Authentication (MFA) or passwordless authentication for all user accounts to reduce account takeover impact.
- Audit any custom OIDC client configurations that rely on post_logout_redirect_uri values.
Patch Information
The vulnerability is patched in ZITADEL version 4.7.1. The upstream commit centralizes host header resolution and forwards headers to APIs, tightening how the login application handles redirect and routing values. Review the GitHub Security Advisory GHSA-v959-qxv6-6f8p and the patch commit for details.
Workarounds
- Restrict allowed post_logout_redirect_uri values in Zitadel client configurations to a strict allowlist of trusted URLs.
- Deploy a Web Application Firewall (WAF) rule that blocks /logout requests containing javascript: or data: schemes in query parameters.
- Instruct users to log out of one Zitadel session per browser profile until upgrade is complete, reducing multi-session prerequisites for exploitation.
# Example WAF rule (ModSecurity) to block dangerous post_logout_redirect values
SecRule REQUEST_URI "@rx /logout" "chain,id:1006749,phase:2,deny,status:403,log,msg:'CVE-2025-67495 XSS attempt'"
SecRule ARGS:post_logout_redirect "@rx (?i)(javascript:|data:|vbscript:|<script)" "t:none,t:urlDecodeUni"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

