x/vulndb: potential Go vuln in github.com/zitadel/zitadel: GHSA-j4g7-v4m4-77px #4124
Description
Advisory GHSA-j4g7-v4m4-77px references a vulnerability in the following Go modules:
| Module |
|---|
| github.com/zitadel/zitadel |
Description:
Summary
A vulnerability in ZITADEL's federation process allowed auto-linking users from external identity providers to existing users in ZITADEL even if the corresponding IdP was not active or if the organization did not allow federated authentication.
Impact
This vulnerability stems from the platform's failure to correctly check or enforce an organization's specific security settings during the authentication flow. An Organization Administrator can explicitly disable an IdP or disallow federation, but this setting was not being honored during the auto-linking process.
This allowed...
References:
- ADVISORY: GHSA-j4g7-v4m4-77px
- ADVISORY: GHSA-j4g7-v4m4-77px
- ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2025-64717
- FIX: zitadel/zitadel@33c51de
- WEB: https://github.com/zitadel/zitadel/releases/tag/v2.71.19
- WEB: https://github.com/zitadel/zitadel/releases/tag/v3.4.4
- WEB: https://github.com/zitadel/zitadel/releases/tag/v4.6.6
Cross references:
- github.com/zitadel/zitadel appears in 26 other report(s):
- data/excluded/GO-2022-0961.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: CVE-2022-36051 #961) NOT_IMPORTABLE
- data/excluded/GO-2023-1489.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: GHSA-6rrr-78xp-5jp8 #1489) NOT_IMPORTABLE
- data/excluded/GO-2023-2107.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: CVE-2023-44399 #2107) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-2155.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: CVE-2023-46238 #2155) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-2187.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: GHSA-7h8m-vrxx-vr4m #2187) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-2368.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: GHSA-2wmj-46rj-qm2w #2368) NOT_IMPORTABLE
- data/reports/GO-2024-2637.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: GHSA-mq4x-r2w3-j7mr #2637)
- data/reports/GO-2024-2655.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: GHSA-hfrg-4jwr-jfpj #2655)
- data/reports/GO-2024-2664.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: GHSA-gp8g-f42f-95q2 #2664)
- data/reports/GO-2024-2665.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: GHSA-hr5w-cwwq-2v4m #2665)
- data/reports/GO-2024-2788.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: GHSA-7j7j-66cv-m239 #2788)
- data/reports/GO-2024-2804.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: CVE-2024-32967 #2804)
- data/reports/GO-2024-2968.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: CVE-2024-39683 #2968)
- data/reports/GO-2024-3014.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: CVE-2024-41952 #3014)
- data/reports/GO-2024-3015.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: CVE-2024-41953 #3015)
- data/reports/GO-2024-3137.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel/v2: GHSA-2w5j-qfvw-2hf5 #3137)
- data/reports/GO-2024-3138.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel/v2: GHSA-jj94-6f5c-65r8 #3138)
- data/reports/GO-2024-3139.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel/v2: GHSA-qr2h-7pwm-h393 #3139)
- data/reports/GO-2024-3216.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: CVE-2024-49753 #3216)
- data/reports/GO-2024-3217.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: CVE-2024-49757 #3217)
- data/reports/GO-2025-3499.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: GHSA-f3gh-529w-v32x #3499)
- data/reports/GO-2025-3671.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: CVE-2025-46815 #3671)
- data/reports/GO-2025-3721.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel/v2: GHSA-93m4-mfpg-c3xf #3721)
- data/reports/GO-2025-4083.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel/v2: GHSA-cfjq-28r2-4jv5 #4083)
- data/reports/GO-2025-4084.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel/v2: GHSA-mwmh-7px9-4c23 #4084)
- data/reports/GO-2025-4085.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel/v2: GHSA-xrw9-r35x-x878 #4085)
See doc/quickstart.md for instructions on how to triage this report.
id: GO-ID-PENDING
modules:
- module: github.com/zitadel/zitadel
versions:
- introduced: 1.80.0-v2.20.0.20240403060621-5b3946b67ef6
- fixed: 1.80.0-v2.20.0.20251112124840-33c51deb2040
non_go_versions:
- introduced: 4.0.0-rc.1
- fixed: 4.6.6
- introduced: 2.50.0
- fixed: 2.71.19
- introduced: 3.0.0-rc.1
- fixed: 3.4.4
summary: ZITADEL is vulnerable to Account Takeover with deactivated Instance IdP in github.com/zitadel/zitadel
cves:
- CVE-2025-64717
ghsas:
- GHSA-j4g7-v4m4-77px
references:
- advisory: https://github.com/advisories/GHSA-j4g7-v4m4-77px
- advisory: https://github.com/zitadel/zitadel/security/advisories/GHSA-j4g7-v4m4-77px
- advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-64717
- fix: https://github.com/zitadel/zitadel/commit/33c51deb20402dd5720e32cfb0c1d5fdc752f2e0
- web: https://github.com/zitadel/zitadel/releases/tag/v2.71.19
- web: https://github.com/zitadel/zitadel/releases/tag/v3.4.4
- web: https://github.com/zitadel/zitadel/releases/tag/v4.6.6
notes:
- fix: 'github.com/zitadel/zitadel: could not add vulnerable_at: could not find tagged version between introduced and fixed'
source:
id: GHSA-j4g7-v4m4-77px
created: 2025-11-14T22:02:01.298524798Z
review_status: UNREVIEWED