ZITADEL Unauthenticated Full-Read Server-Side Request Forgery Vulnerability

A critical server-side request forgery (SSRF) vulnerability has been identified in ZITADEL, an open-source identity infrastructure tool, affecting versions 4.7.0 and below. The vulnerability allows unauthenticated attackers to manipulate the service URL by exploiting the 'x-zitadel-forward-host' header. This header is treated as a trusted fallback, enabling attackers to force the server to make HTTP requests to arbitrary domains, including internal addresses. The responses from these requests are then returned to the attacker, facilitating data exfiltration and bypassing network segmentation controls.

Impact

Exploitation of this vulnerability could lead to unauthorized access to internal services, allowing attackers to exfiltrate sensitive data and circumvent network security measures.

Reproduction

To reproduce this vulnerability, send a request to the ZITADEL Login UI (V2) with the 'x-zitadel-forward-host' header set to an internal address. The server will process the request, fetch the specified internal resource, and return the response, effectively leaking internal data.

Remediation

Users are advised to update ZITADEL to version 4.7.1 or later. For those using a reverse proxy, ensure that the 'x-zitadel-forward-host' header is either removed or set to the requested host before forwarding the request to ZITADEL. In multi-instance deployments, also set the 'x-zitadel-instance-host' header to the appropriate instance domain.