GHSA-93m4-mfpg-c3xf: 
vulnerability analysis and mitigation

A critical vulnerability (GHSA-93m4-mfpg-c3xf/CVE-2025-48936) was discovered in ZITADEL's password reset mechanism affecting versions <3.2.2, <2.70.12, and 2.71.0-2.71.10. The vulnerability was disclosed on May 28, 2025, and involves the manipulation of Forwarded or X-Forwarded-Host headers in password reset requests (GitHub Advisory).

The vulnerability exists in how ZITADEL processes the Forwarded or X-Forwarded-Proto header from incoming requests to construct password reset confirmation URLs. The issue has been assigned a CVSS score of 8.1 (High), with attack vector: Network, attack complexity: Low, privileges required: None, user interaction: Required, scope: Unchanged, confidentiality: High, and integrity: High (GitHub Advisory, NVD).

If successfully exploited, an attacker can manipulate the password reset confirmation link to point to a malicious domain. When a user clicks this manipulated link, the secret reset code can be captured by the attacker, allowing them to reset the user's password and gain unauthorized access to their account. However, accounts with Multi-Factor Authentication (MFA) or Passwordless authentication enabled are protected from this attack vector (GitHub Advisory).

The vulnerability has been patched in versions 3.2.2, 2.70.12, and 2.71.11. The patches ensure proper validation of headers and prevent downgrading from HTTPS to HTTP. For users unable to update immediately, a workaround involves configuring a ZITADEL fronting proxy to delete all Forwarded and X-Forwarded-Host header values before sending requests to ZITADEL self-hosted environments (GitHub Advisory).