Vulnerabilities
Projects
Vulnerability Disclosure
About Us
Contact Us
Mend.io Vulnerability Database
What is a WS vulnerability ID?
What is an MSC vulnerability ID?
We found results for “”
CVE-2025-31123
Good to know:
Date: March 31, 2025
Zitadel is open-source identity infrastructure software. A vulnerability existed where expired keys can be used to retrieve tokens. Specifically, ZITADEL fails to properly check the expiration date of the JWT key when used for Authorization Grants. This allows an attacker with an expired key to obtain valid access tokens. This vulnerability does not affect the use of JWT Profile for OAuth 2.0 Client Authentication on the Token and Introspection endpoints, which correctly reject expired keys. This vulnerability is fixed in 2.71.6, 2.70.8, 2.69.9, 2.68.9, 2.67.13, 2.66.16, 2.65.7, 2.64.6, and 2.63.9.
Severity Score
Related Resources (13)
Severity Score
Weakness Type (CWE)
Use of a Key Past its Expiration Date
CWE-324Top Fix
Upgrade Version
Upgrade to version https://github.com/zitadel/zitadel.git - v2.63.9;https://github.com/zitadel/zitadel.git - v2.64.6;https://github.com/zitadel/zitadel.git - v2.65.7;https://github.com/zitadel/zitadel.git - v2.66.16;https://github.com/zitadel/zitadel.git - v2.67.13;https://github.com/zitadel/zitadel.git - v2.68.9;https://github.com/zitadel/zitadel.git - v2.70.8;https://github.com/zitadel/zitadel.git - v2.71.6;https://github.com/zitadel/zitadel.git - v2.69.9
CVSS v3.1
| Base Score: |
|
|---|---|
| Attack Vector (AV): | NETWORK |
| Attack Complexity (AC): | LOW |
| Privileges Required (PR): | HIGH |
| User Interaction (UI): | NONE |
| Scope (S): | CHANGED |
| Confidentiality (C): | HIGH |
| Integrity (I): | HIGH |
| Availability (A): | NONE |