CVE-2025-48936: 
vulnerability analysis and mitigation

CVE-2025-48936 affects Zitadel, an open-source identity infrastructure software, discovered in May 2025. The vulnerability exists in the password reset mechanism prior to versions 2.70.12, 2.71.10, and 3.2.2. The issue has been assigned a CVSS v3.1 base score of 8.1 (High) (GitHub Advisory, NVD).

The vulnerability stems from improper validation of the Forwarded or X-Forwarded-Host header in incoming requests. ZITADEL uses these headers to construct the URL for password reset confirmation links that are emailed to users. The vulnerability is classified as URL Redirection to Untrusted Site (CWE-601). When exploited, an attacker can manipulate these headers through host header injection to generate password reset links pointing to malicious domains (GitHub Advisory).

If successfully exploited, an attacker can capture the secret reset code embedded in the URL when a user clicks the manipulated link in the email. This captured code can then be used to reset the user's password and gain unauthorized access to their account. However, accounts with Multi-Factor Authentication (MFA) or Passwordless authentication enabled are protected against this attack vector (GitHub Advisory).

The vulnerability has been patched in versions 2.70.12, 2.71.11, and 3.2.2. The fixes include proper validation of headers and prevention of protocol downgrade from HTTPS to HTTP. For unpatched systems, a workaround involves configuring a ZITADEL fronting proxy to delete all Forwarded and X-Forwarded-Host header values before sending requests to ZITADEL self-hosted environments (GitHub Advisory, GitHub Commit).

The vulnerability was responsibly disclosed by Amit Laish from GE Vernova, demonstrating effective collaboration between security researchers and the Zitadel team (GitHub Advisory).