ZITADEL DOM-Based Cross-Site Scripting Vulnerability in Logout Endpoint

A DOM-based cross-site scripting vulnerability has been identified in ZITADEL, an open-source identity infrastructure tool, specifically in versions 4.0.0-rc.1 prior to 4.7.0. The vulnerability arises in the V2 logout endpoint, which improperly handles the post_logout_redirect GET parameter. This flaw allows unauthenticated remote attackers to execute malicious JavaScript in the browsers of ZITADEL users. Exploitation requires multiple active user sessions in the same browser, although accounts with Multi-Factor Authentication or Passwordless authentication are protected from takeover. The issue has been resolved in ZITADEL version 4.7.1.

Impact

Exploitation of this vulnerability allows for DOM-based cross-site scripting, where an attacker can execute malicious JavaScript in the context of the user's browser, potentially leading to account takeover by resetting the victim's password. This impact is particularly concerning as it can be exploited by an unauthenticated remote attacker.

Remediation

Users are advised to update ZITADEL to version 4.7.1 or later. If running a custom login UI, switch to using the new logout_token parameter, which includes all necessary information in a secure format. Ensure that the ZITADEL_API_URL is correctly set, and that the appropriate host headers are passed through the reverse proxy.