CVE-2025-46815
Published: 06 May 2025
Summary
CVE-2025-46815 is a high-severity Authentication Bypass by Capture-replay (CWE-294) vulnerability in Zitadel Zitadel. Its CVSS base score is 8.0 (High).
Operationally, ranked at the 43.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-13619
Vulnerability details
The identity infrastructure software ZITADEL offers developers the ability to manage user sessions using the Session API. This API enables the use of IdPs for authentication, known as idp intents. Following a successful idp intent, the client receives an id…
more
and token on a predefined URI. These id and token can then be used to authenticate the user or their session. However, prior to versions 3.0.0, 2.71.9, and 2.70.10, it was possible to exploit this feature by repeatedly using intents. This allowed an attacker with access to the application’s URI to retrieve the id and token, enabling them to authenticate on behalf of the user. It's important to note that the use of additional factors (MFA) prevents a complete authentication process and, consequently, access to the ZITADEL API. Versions 3.0.0, 2.71.9, and 2.70.10 contain a fix for the issue. No known workarounds other than upgrading are available.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Automatically terminating sessions after a defined period directly enforces session expiration, preventing indefinite session lifetimes that attackers can exploit.
Re-authentication after inactivity or time-based triggers prevents indefinite use of potentially hijacked or stale sessions.
Protects against replay of captured session tokens or credentials by requiring authenticated, fresh session channels.
Accurate synchronized time enables tight timestamp windows that directly limit capture-replay windows in authentication protocols.
Locks the device (typically after inactivity) until re-authentication, addressing insufficient session expiration by preventing indefinite access.
Allows detection of capture-replay attacks by showing the replayed logon's timestamp as the last logon.
Terminating sessions and network connections upon completion prevents insufficient session expiration.
Directly enforces termination of network sessions after inactivity or end-of-session, preventing indefinite session lifetime.