SCA: security update for github.com/zitadel/zitadel (GHSA-j4g7-v4m4-77px)

high Tenable Self-Hosted Container Security Plugin ID 436065

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- ZITADEL is an open source identity management platform. Starting in version 2.50.0 and prior to versions
2.71.19, 3.4.4, and 4.6.6, a vulnerability in ZITADEL's federation process allowed auto-linking users from
external identity providers to existing users in ZITADEL even if the corresponding IdP was not active or
if the organization did not allow federated authentication. This vulnerability stems from the platform's
failure to correctly check or enforce an organization's specific security settings during the
authentication flow. An Organization Administrator can explicitly disable an IdP or disallow federation,
but this setting was not being honored during the auto-linking process. This allowed an unauthenticated
attacker to initiate a login using an IdP that should have been disabled for that organization. The
platform would incorrectly validate the login and, based on a matching criteria, link the attacker's
external identity to an existing internal user account. This may result in a full Account Takeover,
bypassing the organization's mandated security controls. Note that accounts with MFA enabled can not be
taken over by this attack. Also note that only IdPs create on an instance level would allow this to work.
IdPs registered on another organization would always be denied in the (auto-)linking process. Versions
4.6.6, 3.4.4, and 2.71.19 resolve the issue by correctly validating the organization's login policy before
auto-linking an external user. No known workarounds are available aside from upgrading. (CVE-2025-64717)

See Also

https://github.com/advisories/GHSA-j4g7-v4m4-77px

Plugin Details

Severity: High

ID: 436065

Version: Revision 1.7

Type: Local

Family: SCA Checks

Published: 11/15/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.83

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2025-64717

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS v4

Risk Factor: High

Base Score: 7.4

Threat Score: 4.5

Threat Vector: CVSS:4.0/E:U

Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 11/14/2025

Vulnerability Publication Date: 11/13/2025

Reference Information

CVE: CVE-2025-64717

cwe: CWE-287