CVE-2025-31123

April 1, 2025, 8:26 p.m.

8.7
High

Description

Zitadel is open-source identity infrastructure software. A vulnerability existed where expired keys can be used to retrieve tokens. Specifically, ZITADEL fails to properly check the expiration date of the JWT key when used for Authorization Grants. This allows an attacker with an expired key to obtain valid access tokens. This vulnerability does not affect the use of JWT Profile for OAuth 2.0 Client Authentication on the Token and Introspection endpoints, which correctly reject expired keys. This vulnerability is fixed in 2.71.6, 2.70.8, 2.69.9, 2.68.9, 2.67.13, 2.66.16, 2.65.7, 2.64.6, and 2.63.9.

Product(s) Impacted

Vendor Product Versions
Zitadel
  • Zitadel
  • 2.63.9, 2.64.6, 2.65.7, 2.66.16, 2.67.13, 2.68.9, 2.69.9, 2.70.8, 2.71.6

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-324
Use of a Key Past its Expiration Date
The product uses a cryptographic key or password past its expiration date, which diminishes its safety significantly by increasing the timing window for cracking attacks against that key.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a zitadel zitadel 2.63.9 / / / / / / /
a zitadel zitadel 2.64.6 / / / / / / /
a zitadel zitadel 2.65.7 / / / / / / /
a zitadel zitadel 2.66.16 / / / / / / /
a zitadel zitadel 2.67.13 / / / / / / /
a zitadel zitadel 2.68.9 / / / / / / /
a zitadel zitadel 2.69.9 / / / / / / /
a zitadel zitadel 2.70.8 / / / / / / /
a zitadel zitadel 2.71.6 / / / / / / /

CVSS Score

8.7 / 10

CVSS Data - 3.1

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Privileges Required: HIGH
  • Scope: CHANGED
  • Confidentiality Impact: HIGH
  • Integrity Impact: HIGH
  • Availability Impact: NONE
  • CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N

    View Vector String

Timeline

Published: March 31, 2025, 8:15 p.m.
Last Modified: April 1, 2025, 8:26 p.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security-advisories@github.com

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.