CVE-2025-53895

High

Published: 15 July 2025

Published

15 July 2025

Modified

26 August 2025

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0011 29.5th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-53895 is a high-severity Session Fixation (CWE-384) vulnerability in Zitadel Zitadel. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Browser Session Hijacking (T1185); ranked at the 29.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Browser Session Hijacking (T1185) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations for access to system resources, directly addressing the missing permission check that allows unauthorized session updates.

SI-2 Flaw Remediation good match

prevent

Requires timely identification, reporting, and correction of flaws like the missing permission check in ZITADEL's session management API.

AC-6 Least Privilege partial match

prevent

Employs least privilege to restrict authenticated users from performing unauthorized actions such as updating other users' sessions.

MITRE ATT&CK Enterprise TechniquesAI

T1185 Browser Session Hijacking Collection

Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.

attack.mitre.org →

T1539 Steal Web Session Cookie Credential Access

An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.

attack.mitre.org →

Why these techniques?

Missing permission check enables unauthorized session updates, directly facilitating web session hijacking and theft/use of session credentials for impersonation.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

ZITADEL is an open source identity management system. Starting in version 2.53.0 and prior to versions 4.0.0-rc.2, 3.3.2, 2.71.13, and 2.70.14, vulnerability in ZITADEL's session management API allows any authenticated user to update a session if they know its ID,…

due to a missing permission check. This flaw enables session hijacking, allowing an attacker to impersonate another user and access sensitive resources. Versions prior to `2.53.0` are not affected, as they required the session token for updates. Versions 4.0.0-rc.2, 3.3.2, 2.71.13, and 2.70.14 fix the issue.

Deeper analysisAI

CVE-2025-53895 is a vulnerability in ZITADEL, an open source identity management system, affecting the session management API. The issue arises from a missing permission check, allowing any authenticated user to update another user's session if they know its ID. It impacts versions starting from 2.53.0 up to but not including the fixed releases: 4.0.0-rc.2, 3.3.2, 2.71.13, and 2.70.14. Versions prior to 2.53.0 are unaffected, as they required the session token itself for updates.

Any low-privileged authenticated user (PR:L) on the network (AV:N) can exploit this with low complexity (AC:L) and no user interaction (UI:N). By obtaining a target session ID, the attacker can update the session, hijacking it to impersonate the victim and access sensitive resources. The vulnerability carries a CVSS v3.1 base score of 8.8 (C:H/I:H/A:H), tied to CWE-384 (Session Fixation) and CWE-863 (Incorrect Authorization).

ZITADEL's security advisory (GHSA-6c5p-6www-pcmr) and release notes recommend upgrading to the fixed versions: 4.0.0-rc.2, 3.3.2, 2.71.13, or 2.70.14, which restore proper permission checks in the session management API. No other mitigations are specified in the provided references.

Details

CWE(s): CWE-384 CWE-863

Affected Products

zitadel

4.0.0 · 2.53.0 — 2.70.14 · 2.71.0 — 2.71.13 · 3.0.0 — 3.3.1

CVEs Like This One

CVE-2026-29191Same product: Zitadel Zitadel

CVE-2025-64717Same product: Zitadel Zitadel

CVE-2026-29193Same product: Zitadel Zitadel

CVE-2026-29192Same product: Zitadel Zitadel

CVE-2026-32131Same product: Zitadel Zitadel

CVE-2026-29067Same product: Zitadel Zitadel

CVE-2025-64103Same product: Zitadel Zitadel

CVE-2025-27507Same product: Zitadel Zitadel

CVE-2025-31123Same product: Zitadel Zitadel

CVE-2026-32130Same product: Zitadel Zitadel

References

https://github.com/zitadel/zitadel/releases/tag/v2.70.14
Release Notes · security-advisories@github.com
https://github.com/zitadel/zitadel/releases/tag/v2.71.13
Release Notes · security-advisories@github.com
https://github.com/zitadel/zitadel/releases/tag/v3.3.2
Release Notes · security-advisories@github.com
https://github.com/zitadel/zitadel/releases/tag/v4.0.0-rc.2
Release Notes · security-advisories@github.com
https://github.com/zitadel/zitadel/security/advisories/GHSA-6c5p-6www-pcmr
Vendor Advisory · security-advisories@github.com