ZITADEL Password Reset Mechanism Vulnerability Leading to Account Takeover

A vulnerability allowing account takeover via header injection has been identified in ZITADEL's password reset process. The issue is present in versions 4.0.0 prior to 4.6.0, 3.0.0 prior to 3.4.3, and 2.0.0 prior to 2.71.18. ZITADEL uses the Forwarded and X-Forwarded-Host headers to create password reset links, which are sent to users via email. If an attacker manipulates these headers, they can direct the password reset link to a malicious domain they control. When the user clicks the link, the attacker can capture the secret code included in the URL, which can then be used to reset the user's password and gain unauthorized access to their account. This vulnerability does not affect accounts with Multi-Factor Authentication or Passwordless authentication enabled.

Impact

Exploitation of this vulnerability could lead to unauthorized access to user accounts by allowing attackers to reset passwords using captured secret codes from manipulated password reset links.

Reproduction

To reproduce this vulnerability, an attacker must inject a malicious domain into the Forwarded or X-Forwarded-Host headers of a request to ZITADEL. This can be done through host header injection. Once the header is injected, ZITADEL will generate a password reset link pointing to the attacker's domain, including a secret code. If the user clicks this link, the attacker can capture the code and use it to reset the user's password.

Remediation

Users are advised to update ZITADEL to version 4.6.0, 3.4.3, or 2.71.18. For self-hosted ZITADEL environments, a fronting proxy can be configured to remove all Forwarded and X-Forwarded-Host header values before forwarding requests to ZITADEL.