Zitadel Password Reset Mechanism Vulnerability Leading to Account Takeover

A vulnerability allowing account takeover via header injection in the password reset process has been identified in Zitadel versions prior to 2.70.12, 2.71.0 through 2.71.10, and 3.2.2. Zitadel's password reset mechanism relies on the Forwarded and X-Forwarded-Host headers to create a confirmation link that is emailed to users. If an attacker manipulates these headers, they can direct the password reset link to a malicious domain. When the user clicks the link, the attacker can capture the secret code in the URL and use it to reset the user's password and gain unauthorized access to their account. This vulnerability does not affect accounts with Multi-Factor Authentication (MFA) or Passwordless authentication enabled.

Impact

Exploitation of this vulnerability could lead to unauthorized access to user accounts by capturing and misusing password reset codes.

Reproduction

To reproduce this vulnerability, an attacker must inject a malicious X-Forwarded-Proto or X-Forwarded-Host header into a request. This can be done by exploiting a server that does not properly validate these headers. Once the headers are injected, the server will generate a password reset link that points to a domain controlled by the attacker. If the victim clicks this link, the attacker can capture the reset code and use it to take over the victim's account.

Remediation

Users are advised to update Zitadel to version 2.70.12, 2.71.11, or 3.2.2, all of which include patches for this vulnerability. Additionally, if Zitadel is self-hosted, a fronting proxy can be configured to remove all Forwarded and X-Forwarded-Host header values before the requests reach the Zitadel server.