CVE-2025-64431: 
Chainguard 脆弱性の分析と軽減

An Insecure Direct Object Reference (IDOR) vulnerability was discovered in ZITADEL's Organization V2Beta API, identified as CVE-2025-64431. The vulnerability affects ZITADEL versions 4.0.0-rc.1 through 4.6.2, and was disclosed on November 5, 2025. The vulnerability allows authenticated users with administrator roles within one organization to access and modify data belonging to other organizations within the same ZITADEL instance (GHSA Advisory).

The vulnerability stems from improper authorization checks in the Organization V2Beta API endpoints. The service wrongly checked permissions on the user's organization instead of the organization being accessed. This IDOR vulnerability has been assigned a CVSS v4.0 score of 8.7 (High), with the following vector string: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. The vulnerability requires network access and low privileges to exploit, with no special attack complexity or user interaction needed (GHSA Advisory).

The vulnerability enables attackers to read organization data (including names, domains, and metadata), manipulate organization data, and potentially delete entire organizations. However, the scope is limited to organization-level data, and does not affect other related data such as users, projects, or applications (GHSA Advisory).

The vulnerability has been patched in ZITADEL version 4.6.3, released on November 5, 2025. The fix involves correcting permission checks in the organization v2beta service to properly validate against the target organization rather than the user's organization. For systems unable to upgrade immediately, a temporary workaround involves disabling the affected Organization V2Beta API endpoints at the reverse proxy or Web Application Firewall (WAF) level (GHSA Advisory, GitHub Release).