Vulnerability DatabaseCVE-2024-49753

CVE-2024-49753:
Chainguard vulnerability analysis and mitigation

Overview

Zitadel is open-source identity infrastructure software. A vulnerability (CVE-2024-49753) was discovered in versions prior to 2.64.1, 2.63.6, 2.62.8, 2.61.4, 2.60.4, 2.59.5, and 2.58.7 where there is a flaw in the URL validation mechanism of Zitadel actions that allows bypassing restrictions intended to block requests to localhost (127.0.0.1) (GitHub Advisory).

Technical details

The vulnerability exists in the isHostBlocked check, which is designed to prevent requests to localhost. The security measure can be circumvented by creating a DNS record that resolves to 127.0.0.1, enabling actions to send requests to localhost despite the intended security restrictions. The vulnerability has been assigned a CVSS v3.1 base score of 5.9 (Medium) with vector string CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N (GitHub Advisory).

Impact

This vulnerability potentially allows unauthorized access to unsecured internal endpoints, which may contain sensitive information or functionalities. The impact is reflected in the CVSS metrics showing high impact on both confidentiality and integrity (GitHub Advisory).

Mitigation and workarounds

The vulnerability has been patched in versions 2.64.1, 2.63.6, 2.62.8, 2.61.4, 2.60.4, 2.59.5, and 2.58.7. No workarounds are available, and users are advised to upgrade to the patched versions (GitHub Advisory).

Additional resources

Source: This report was generated using AI

Related Chainguard vulnerabilities:

CVE ID	Severity	Score	Technologies	Component name	CISA KEV exploit	Has fix	Published date
CVE-2025-66471	HIGH	8.9	Python	py3-urllib3	No	Yes	Dec 05, 2025
CVE-2025-66418	HIGH	8.9	Python	python-urllib3	No	Yes	Dec 05, 2025
CVE-2025-66564	HIGH	7.5	Datadog Agent	cosign	No	Yes	Dec 04, 2025
CVE-2025-66490	MEDIUM	6.9	Wolfi	traefik-3	No	Yes	Dec 09, 2025
CVE-2025-66491	MEDIUM	5.9	Wolfi	traefik	No	Yes	Dec 09, 2025