CVE-2025-48936

Description

ZITADEL Allows Account Takeover via Malicious X-Forwarded-Proto Header Injection in github.com/zitadel/zitadel. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/zitadel/zitadel from v2.38.3 before v2.70.12, from v2.71.0 before v2.71.11, from v3.0.0-rc1 before v3.2.2.

How to fix CVE-2025-48936

To remediate CVE-2025-48936, upgrade the affected package to a fixed version below.

• —upgrade to 0.0.0-20250528081227-c097887bc5f6 or later
• —upgrade to 0.0.0-20250528081227-c097887bc5f6 or later
• —upgrade to 2.70.12 or later

Is CVE-2025-48936 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

• from 0, < 0.0.0-20250528081227-c097887bc5f6
• from 0, < 0.0.0-20250528081227-c097887bc5f6
• >= 2.38.3, < 2.70.12

CVSS scores

References (4)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-48936
• PATCHgithub.com/zitadel/zitadel
• WEBgithub.com/zitadel/zitadel/commit/c097887bc5f680e12c998580fb56d98a15758f53
• WEBgithub.com/zitadel/zitadel/security/advisories/GHSA-93m4-mfpg-c3xf