Cyber Resilience

CVE-2025-53895

High

Published: 15 July 2025

Published
15 July 2025
Modified
26 August 2025
KEV Added
Patch
CVSS Score v4 7.7 CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0032 55.7th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-53895 is a high-severity Session Fixation (CWE-384) vulnerability in Zitadel Zitadel. Its CVSS base score is 7.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Browser Session Hijacking (T1185); ranked in the top 44.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-53895 is a vulnerability in ZITADEL, an open source identity management system, affecting the session management API. The issue arises from a missing permission check, allowing any authenticated user to update another user's session if they know its ID. It impacts versions starting from 2.53.0 up to but not including the fixed releases: 4.0.0-rc.2, 3.3.2, 2.71.13, and 2.70.14. Versions prior to 2.53.0 are unaffected, as they required the session token itself for updates.

Any low-privileged authenticated user (PR:L) on the network (AV:N) can exploit this with low complexity (AC:L) and no user interaction (UI:N). By obtaining a target session ID, the attacker can update the session, hijacking it to impersonate the victim and access sensitive resources. The vulnerability carries a CVSS v3.1 base score of 8.8 (C:H/I:H/A:H), tied to CWE-384 (Session Fixation) and CWE-863 (Incorrect Authorization).

ZITADEL's security advisory (GHSA-6c5p-6www-pcmr) and release notes recommend upgrading to the fixed versions: 4.0.0-rc.2, 3.3.2, 2.71.13, or 2.70.14, which restore proper permission checks in the session management API. No other mitigations are specified in the provided references.

EU & UK References

Vulnerability details

ZITADEL is an open source identity management system. Starting in version 2.53.0 and prior to versions 4.0.0-rc.2, 3.3.2, 2.71.13, and 2.70.14, vulnerability in ZITADEL's session management API allows any authenticated user to update a session if they know its ID,…

more

due to a missing permission check. This flaw enables session hijacking, allowing an attacker to impersonate another user and access sensitive resources. Versions prior to `2.53.0` are not affected, as they required the session token for updates. Versions 4.0.0-rc.2, 3.3.2, 2.71.13, and 2.70.14 fix the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1185 Browser Session Hijacking Collection
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
T1539 Steal Web Session Cookie Credential Access
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.
Why these techniques?

Missing permission check enables unauthorized session updates, directly facilitating web session hijacking and theft/use of session credentials for impersonation.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-29191Same product: Zitadel Zitadel
CVE-2026-44671Same product: Zitadel Zitadel
CVE-2026-29067Same product: Zitadel Zitadel
CVE-2026-32130Same product: Zitadel Zitadel
CVE-2026-32132Same product: Zitadel Zitadel
CVE-2025-31123Same product: Zitadel Zitadel
CVE-2026-29192Same product: Zitadel Zitadel
CVE-2026-29193Same product: Zitadel Zitadel
CVE-2026-32131Same product: Zitadel Zitadel
CVE-2025-64103Same product: Zitadel Zitadel

Affected Assets

zitadel
zitadel
4.0.0 · 2.53.0 — 2.70.14 · 2.71.0 — 2.71.13 · 3.0.0 — 3.3.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations for access to system resources, directly addressing the missing permission check that allows unauthorized session updates.

prevent

Requires timely identification, reporting, and correction of flaws like the missing permission check in ZITADEL's session management API.

prevent

Employs least privilege to restrict authenticated users from performing unauthorized actions such as updating other users' sessions.

References