x/vulndb: potential Go vuln in github.com/zitadel/zitadel/v2: GHSA-cfjq-28r2-4jv5

[GoVulnBot]

Advisory GHSA-cfjq-28r2-4jv5 references a vulnerability in the following Go modules:

Module
github.com/zitadel/zitadel

Description:

Summary

A vulnerability in Zitadel's token verification prematurely marked sessions as authenticated when only one factor was verified.

Impact

Zitadel provides an API for managing sessions, enabling custom login experiences in a dedicated UI or direct integration into applications. Session Tokens are issued for active sessions, which can be used as Bearer tokens to call the Zitadel API.

Starting from 2.55.0 (see other affected versions below), Zitadel only required multi factor authentication in case the login policy has either enabled requireMFA or requireMFAForLocalUsers. If...

References:

• ADVISORY: GHSA-cfjq-28r2-4jv5
• ADVISORY: GHSA-cfjq-28r2-4jv5
• ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2025-64103
• FIX: zitadel/zitadel@b284f84

Cross references:

• github.com/zitadel/zitadel appears in 23 other report(s):
  • data/excluded/GO-2022-0961.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: CVE-2022-36051 #961) NOT_IMPORTABLE
  • data/excluded/GO-2023-1489.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: GHSA-6rrr-78xp-5jp8 #1489) NOT_IMPORTABLE
  • data/excluded/GO-2023-2107.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: CVE-2023-44399 #2107) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-2155.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: CVE-2023-46238 #2155) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-2187.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: GHSA-7h8m-vrxx-vr4m #2187) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-2368.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: GHSA-2wmj-46rj-qm2w #2368) NOT_IMPORTABLE
  • data/reports/GO-2024-2637.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: GHSA-mq4x-r2w3-j7mr #2637)
  • data/reports/GO-2024-2655.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: GHSA-hfrg-4jwr-jfpj #2655)
  • data/reports/GO-2024-2664.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: GHSA-gp8g-f42f-95q2 #2664)
  • data/reports/GO-2024-2665.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: GHSA-hr5w-cwwq-2v4m #2665)
  • data/reports/GO-2024-2788.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: GHSA-7j7j-66cv-m239 #2788)
  • data/reports/GO-2024-2804.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: CVE-2024-32967 #2804)
  • data/reports/GO-2024-2968.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: CVE-2024-39683 #2968)
  • data/reports/GO-2024-3014.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: CVE-2024-41952 #3014)
  • data/reports/GO-2024-3015.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: CVE-2024-41953 #3015)
  • data/reports/GO-2024-3137.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel/v2: GHSA-2w5j-qfvw-2hf5 #3137)
  • data/reports/GO-2024-3138.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel/v2: GHSA-jj94-6f5c-65r8 #3138)
  • data/reports/GO-2024-3139.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel/v2: GHSA-qr2h-7pwm-h393 #3139)
  • data/reports/GO-2024-3216.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: CVE-2024-49753 #3216)
  • data/reports/GO-2024-3217.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: CVE-2024-49757 #3217)
  • data/reports/GO-2025-3499.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: GHSA-f3gh-529w-v32x #3499)
  • data/reports/GO-2025-3671.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel: CVE-2025-46815 #3671)
  • data/reports/GO-2025-3721.yaml (x/vulndb: potential Go vuln in github.com/zitadel/zitadel/v2: GHSA-93m4-mfpg-c3xf #3721)

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/zitadel/zitadel
      non_go_versions:
        - introduced: TODO (earliest fixed "2.71.18", vuln range ">= 2.55.0, <= 2.71.17")
        - introduced: TODO (earliest fixed "", vuln range ">= 2.54.3, <= 2.54.10")
        - introduced: TODO (earliest fixed "", vuln range ">= 2.53.6, <= 2.53.9")
      vulnerable_at: 1.87.5
summary: Zitadel May Bypass Second Authentication Factor in github.com/zitadel/zitadel
cves:
    - CVE-2025-64103
ghsas:
    - GHSA-cfjq-28r2-4jv5
references:
    - advisory: https://github.com/advisories/GHSA-cfjq-28r2-4jv5
    - advisory: https://github.com/zitadel/zitadel/security/advisories/GHSA-cfjq-28r2-4jv5
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-64103
    - fix: https://github.com/zitadel/zitadel/commit/b284f8474eed0cba531905101619e7ae7963156b
notes:
    - fix: 'module merge error: could not merge versions of module github.com/zitadel/zitadel: invalid or non-canonical semver version (found TODO (earliest fixed "2.71.18", vuln range ">= 2.55.0, <= 2.71.17"))'
source:
    id: GHSA-cfjq-28r2-4jv5
    created: 2025-10-29T23:01:23.97798169Z
review_status: UNREVIEWED

[gopherbot]

Change https://go.dev/cl/717381 mentions this issue: data/reports: add 9 reports

[gopherbot]

Change https://go.dev/cl/717402 mentions this issue: data/reports: add 15 reports