Description
ZITADEL is an open source identity management system. Starting in version 2.53.0 and prior to versions 4.0.0-rc.2, 3.3.2, 2.71.13, and 2.70.14, vulnerability in ZITADEL's session management API allows any authenticated user to update a session if they know its ID, due to a missing permission check. This flaw enables session hijacking, allowing an attacker to impersonate another user and access sensitive resources. Versions prior to `2.53.0` are not affected, as they required the session token for updates. Versions 4.0.0-rc.2, 3.3.2, 2.71.13, and 2.70.14 fix the issue.
Question to Ask Vendors:
- Can you confirm whether your systems are affected by CVE-2025-53895, and if so, what steps are you currently taking to mitigate this vulnerability?
- What is your estimated timeline for fully resolving CVE-2025-53895 in your products or services, and how will you communicate updates on this issue to us as your customer?
Recommended Actions:
- Check out the advisory links provided below.
References:
- https://capec.mitre.org/data/definitions/196.html
- https://capec.mitre.org/data/definitions/21.html
- https://capec.mitre.org/data/definitions/31.html
- https://capec.mitre.org/data/definitions/39.html
- https://capec.mitre.org/data/definitions/59.html
- https://capec.mitre.org/data/definitions/60.html
- https://capec.mitre.org/data/definitions/61.html
- https://nvd.nist.gov/vuln/detail/CVE-2025-53895