Description
ZITADEL is an open source identity management platform. From 4.0.0-rc.1 through 4.15.1, ZITADEL's HTTP notification channels, OIDC BackChannel Logout, and SAML metadata URL fetches do not consistently validate user-defined URLs against protected denylist handling, allowing server-side requests to loopback, internal IP, link-local, or redirected endpoints through DNS rebinding, redirects, or protocol downgrades. This issue is fixed in version 4.15.2.
Problem types
CWE-918: Server-Side Request Forgery (SSRF)
Product status
References
github.com/...itadel/security/advisories/GHSA-29jh-8cfq-rr8x
github.com/...ommit/b6f78086913b8d916bce9ab2e049ab0d84f947fd
github.com/zitadel/zitadel/releases/tag/v4.15.2