CVE-2025-31123
Published: 31 March 2025
Summary
CVE-2025-31123 is a high-severity Use of a Key Past its Expiration Date (CWE-324) vulnerability in Zitadel Zitadel. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application Access Token (T1550.001); ranked in the top 42.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the vulnerability by requiring identification, reporting, and correction of the specific software flaw failing to check JWT key expiration during authorization grants.
Requires validation of information inputs like JWT assertions in authorization grant requests, including verification of the expiration claim to block expired keys from obtaining access tokens.
Ensures proper management and validation of authenticators such as JWT keys presented for authorization grants, addressing deficiencies in expiration enforcement.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability bypasses expiration validation for JWT keys during Authorization Grants, allowing a privileged attacker with an expired key to obtain valid access tokens. This directly facilitates use of alternate authentication material (application access tokens) to access resources.
NVD Description
Zitadel is open-source identity infrastructure software. A vulnerability existed where expired keys can be used to retrieve tokens. Specifically, ZITADEL fails to properly check the expiration date of the JWT key when used for Authorization Grants. This allows an attacker…
more
with an expired key to obtain valid access tokens. This vulnerability does not affect the use of JWT Profile for OAuth 2.0 Client Authentication on the Token and Introspection endpoints, which correctly reject expired keys. This vulnerability is fixed in 2.71.6, 2.70.8, 2.69.9, 2.68.9, 2.67.13, 2.66.16, 2.65.7, 2.64.6, and 2.63.9.
Deeper analysisAI
CVE-2025-31123 is a vulnerability in Zitadel, an open-source identity infrastructure software, where expired JWT keys can be used to retrieve valid access tokens. Specifically, Zitadel fails to properly check the expiration date of JWT keys during Authorization Grants, enabling this bypass. The issue does not affect JWT Profile usage for OAuth 2.0 Client Authentication on Token and Introspection endpoints, which correctly reject expired keys. It carries a CVSS score of 8.7 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N) and maps to CWE-324 (Missing Required Cryptographic Step).
Exploitation requires high privileges (PR:H) and is network-accessible (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). A privileged attacker possessing an expired JWT key—such as a service account or authorized client—can submit it for Authorization Grants to obtain fresh, valid access tokens. This leads to high confidentiality (C:H) and integrity (I:H) impacts with scope expansion (S:C), potentially allowing unauthorized access to protected resources.
The vulnerability is addressed in Zitadel releases 2.71.6, 2.70.8, 2.69.9, 2.68.9, 2.67.13, 2.66.16, 2.65.7, 2.64.6, and 2.63.9. Mitigation involves upgrading to one of these patched versions. The fixing commit is at https://github.com/zitadel/zitadel/commit/315503beabd679f2e6aec0c004f0f9d2f5b53ed3, with release details at the corresponding tags such as https://github.com/zitadel/zitadel/releases/tag/v2.63.9.
Details
- CWE(s)