CVE-2025-27507: Zitadel Identity Infrastructure Software Insecure Direct Object Reference (IDOR) Vulnerabilities, Affecting LDAP Configurations and More

The open-source identity infrastructure software, Zitadel, is designed for organizations who want to manage users and their access rights in a centralized manner. It offers various useful features, including user self-registration, which allows users to create accounts and manage their profiles without the need for administrator intervention. However, a recently discovered vulnerability exposes the software to potential attacks that could lead to unauthorized access and the manipulation of sensitive settings.

In this post, we will explore the details of this vulnerability (CVE-2025-27507), the affected versions of Zitadel, and how to mitigate the risk. We will also provide code snippets to help you understand the vulnerability and demonstrate its impact on your systems.

The Vulnerability

CVE-2025-27507 is an Insecure Direct Object Reference (IDOR) vulnerability affecting ZITADEL's Admin API. An IDOR vulnerability arises when a system does not properly verify the access rights of a user before allowing them to interact with objects, such as files, databases, or configuration settings.

In the case of Zitadel, authenticated users without specific IAM roles can exploit several endpoints to modify sensitive settings, potentially leading to unauthorized access or privilege escalation. The most critical vulnerability lies in the ability to manipulate LDAP configurations, which could have severe consequences for organizations that rely on LDAP authentication.

It is important to note that organizations using Zitadel without LDAP authentication are not exposed to the most severe aspects of this vulnerability. However, it is strongly recommended that all users upgrade to the patched version to address all identified issues.

You can check your current Zitadel version by running the following command

zitadel version

Mitigation

To address this vulnerability, users are advised to upgrade their Zitadel instance to the patched version (any of the above-listed versions). The latest version can be obtained from the official Zitadel GitHub repository here.

To upgrade your Zitadel instance, follow the steps outlined in the official documentation here.

Conclusion

CVE-2025-27507 is a critical vulnerability affecting the popular Zitadel identity infrastructure software. Organizations that rely on LDAP authentication are at the highest risk, but it is recommended that all users upgrade their installations to the patched version. By doing so, you will protect your systems from potential unauthorized access and ensure the security of your users and their access rights.

Timeline

Published on: 03/04/2025 17:15:20 UTC