CVE-2024-49753

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-49753
Zitadel is open-source identity infrastructure software. Versions prior to 2.64.1, 2.63.6, 2.62.8, 2.61.4, 2.60.4, 2.59.5, and 2.58.7 have a flaw in the URL validation mechanism of Zitadel actions allows bypassing restrictions intended to block requests to localhost (127.0.0.1). The isHostBlocked check, designed to prevent such requests, can be circumvented by creating a DNS record that resolves to 127.0.0.1. This enables actions to send requests to localhost despite the intended security measures. This vulnerability potentially allows unauthorized access to unsecured internal endpoints, which may contain sensitive information or functionalities. Versions 2.64.1, 2.63.6, 2.62.8, 2.61.4, 2.60.4, 2.59.5, and 2.58.7 contain a patch. No known workarounds are available.

5.9 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 0.7 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://github.com/zitadel/zitadel/releases/tag/v2.58.7 Release Notes
https://github.com/zitadel/zitadel/releases/tag/v2.59.5 Release Notes
https://github.com/zitadel/zitadel/releases/tag/v2.60.4 Release Notes
https://github.com/zitadel/zitadel/releases/tag/v2.61.4 Release Notes
https://github.com/zitadel/zitadel/releases/tag/v2.62.8 Release Notes
https://github.com/zitadel/zitadel/releases/tag/v2.63.6 Release Notes
https://github.com/zitadel/zitadel/releases/tag/v2.64.1 Release Notes
https://github.com/zitadel/zitadel/security/advisories/GHSA-6cf5-w9h3-4rqv Vendor Advisory Exploit
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*
cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*
cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*
cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*
cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*
cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*
cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*
History

26 Aug 2025, 16:28

Type Values Removed Values Added
References () https://github.com/zitadel/zitadel/releases/tag/v2.58.7 - () https://github.com/zitadel/zitadel/releases/tag/v2.58.7 - Release Notes
References () https://github.com/zitadel/zitadel/releases/tag/v2.59.5 - () https://github.com/zitadel/zitadel/releases/tag/v2.59.5 - Release Notes
References () https://github.com/zitadel/zitadel/releases/tag/v2.60.4 - () https://github.com/zitadel/zitadel/releases/tag/v2.60.4 - Release Notes
References () https://github.com/zitadel/zitadel/releases/tag/v2.61.4 - () https://github.com/zitadel/zitadel/releases/tag/v2.61.4 - Release Notes
References () https://github.com/zitadel/zitadel/releases/tag/v2.62.8 - () https://github.com/zitadel/zitadel/releases/tag/v2.62.8 - Release Notes
References () https://github.com/zitadel/zitadel/releases/tag/v2.63.6 - () https://github.com/zitadel/zitadel/releases/tag/v2.63.6 - Release Notes
References () https://github.com/zitadel/zitadel/releases/tag/v2.64.1 - () https://github.com/zitadel/zitadel/releases/tag/v2.64.1 - Release Notes
References () https://github.com/zitadel/zitadel/security/advisories/GHSA-6cf5-w9h3-4rqv - () https://github.com/zitadel/zitadel/security/advisories/GHSA-6cf5-w9h3-4rqv - Vendor Advisory, Exploit
CPE cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*
CWE NVD-CWE-noinfo
First Time Zitadel
Zitadel zitadel
Information

Published : 2024-10-25 14:15

Updated : 2025-08-26 16:28

NVD link : CVE-2024-49753

Mitre link : CVE-2024-49753

CVE.ORG link : CVE-2024-49753

JSON object : View

Products Affected

zitadel

  • zitadel
CWE
CWE-20

Improper Input Validation

NVD-CWE-noinfo