Cyber Resilience

CVE-2025-46815

High

Published: 06 May 2025

Published
06 May 2025
Modified
26 August 2025
KEV Added
Patch
CVSS Score v3.1 8.0 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
EPSS Score 0.0021 43.6th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-46815 is a high-severity Authentication Bypass by Capture-replay (CWE-294) vulnerability in Zitadel Zitadel. Its CVSS base score is 8.0 (High).

Operationally, ranked at the 43.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

The identity infrastructure software ZITADEL offers developers the ability to manage user sessions using the Session API. This API enables the use of IdPs for authentication, known as idp intents. Following a successful idp intent, the client receives an id…

more

and token on a predefined URI. These id and token can then be used to authenticate the user or their session. However, prior to versions 3.0.0, 2.71.9, and 2.70.10, it was possible to exploit this feature by repeatedly using intents. This allowed an attacker with access to the application’s URI to retrieve the id and token, enabling them to authenticate on behalf of the user. It's important to note that the use of additional factors (MFA) prevents a complete authentication process and, consequently, access to the ZITADEL API. Versions 3.0.0, 2.71.9, and 2.70.10 contain a fix for the issue. No known workarounds other than upgrading are available.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

zitadel
zitadel
3.0.0 · ≤ 2.70.10 · 2.71.0 — 2.71.9

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-613 CWE-384

Automatically terminating sessions after a defined period directly enforces session expiration, preventing indefinite session lifetimes that attackers can exploit.

addresses: CWE-613 CWE-384

Re-authentication after inactivity or time-based triggers prevents indefinite use of potentially hijacked or stale sessions.

addresses: CWE-294 CWE-384

Protects against replay of captured session tokens or credentials by requiring authenticated, fresh session channels.

addresses: CWE-294 CWE-613

Accurate synchronized time enables tight timestamp windows that directly limit capture-replay windows in authentication protocols.

addresses: CWE-613

Locks the device (typically after inactivity) until re-authentication, addressing insufficient session expiration by preventing indefinite access.

addresses: CWE-294

Allows detection of capture-replay attacks by showing the replayed logon's timestamp as the last logon.

addresses: CWE-613

Terminating sessions and network connections upon completion prevents insufficient session expiration.

addresses: CWE-613

Directly enforces termination of network sessions after inactivity or end-of-session, preventing indefinite session lifetime.

References