Zitadel Expired JWT Keys Vulnerability in Authorization Grants Allowing Token Retrieval

A vulnerability in Zitadel's identity infrastructure software allows expired JSON Web Token (JWT) keys to be used in Authorization Grants, enabling the retrieval of valid access tokens. This issue arises because Zitadel does not properly validate the expiration date of JWT keys in this context. As a result, an attacker can exploit an expired key to obtain access tokens. However, this vulnerability does not impact the JWT Profile for OAuth 2.0 Client Authentication on the Token and Introspection endpoints, which correctly reject expired keys.

Impact

Exploitation of this vulnerability allows for the unauthorized retrieval of access tokens using expired JWT keys, potentially leading to unauthorized access or actions on behalf of the token holder.

Reproduction

To reproduce this vulnerability, first create a machine account in Zitadel and generate a JWT key with a specified expiration time. After the key expires, attempt to use it in an Authorization Grant for machine-to-machine authentication. The request will be processed successfully, and a valid access token will be returned, demonstrating that the expired key was accepted.

Remediation

Users are advised to update Zitadel to version 2.71.6 or later, or to version 2.70.8, 2.69.9, 2.68.9, 2.67.13, 2.66.16, 2.65.7, 2.64.6, or 2.63.9.