Auth bypass in Zitadel

CVE-2025-64103

Starting from 2.53.6, 2.54.3, and 2.55.0, Zitadel only required multi factor authentication in case the login policy has either enabled requireMFA or requireMFAForLocalUsers. If a user has set up MFA without this requirement, Zitadel would…

EPSS: 0.001 (25.2th percentile) — read the EPSS interpretation.

Affected products

Zitadel — versions >= 4.0.0-rc.1, < 4.6.0, >= 3.0.0-rc.1, < 3.4.3, >= 2.55.0, < 2.71.18

Weakness classification (CWE)

References

https://github.com/zitadel/zitadel/security/advisories/GHSA-cfjq-28r2-4jv5 (x_refsource_CONFIRM)
https://github.com/zitadel/zitadel/commit/b284f8474eed0cba531905101619e7ae7963156b (x_refsource_MISC)