CVE-2025-31123HIGH 8.7EPSS p26.0%

CVE-2025-31123CVE-2025-31123

Description

Zitadel is open-source identity infrastructure software. A vulnerability existed where expired keys can be used to retrieve tokens. Specifically, ZITADEL fails to properly check the expiration date of the JWT key when used for Authorization Grants. This allows an attacker with an expired key to obtain valid access tokens. This vulnerability does not affect the use of JWT Profile for OAuth 2.0 Client Authentication on the Token and Introspection endpoints, which correctly reject expired keys. This vulnerability is fixed in 2.71.6, 2.70.8, 2.69.9, 2.68.9, 2.67.13, 2.66.16, 2.65.7, 2.64.6, and 2.63.9.

Scoring

CVSS 3.18.7 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N
EPSS0.34% probability of exploitation · percentile 26.0% · 2026-06-18T12:00:27Z
Published2025-03-31
Last modified2025-08-26

Underlying weaknesses· 1

CWE-324

References

  1. https://github.com/zitadel/zitadel/commit/315503beabd679f2e6aec0c004f0f9d2f5b53ed3
  2. https://github.com/zitadel/zitadel/releases/tag/v2.63.9
  3. https://github.com/zitadel/zitadel/releases/tag/v2.64.6
  4. https://github.com/zitadel/zitadel/releases/tag/v2.65.7
  5. https://github.com/zitadel/zitadel/releases/tag/v2.66.16
  6. https://github.com/zitadel/zitadel/releases/tag/v2.67.13
  7. https://github.com/zitadel/zitadel/releases/tag/v2.68.9
  8. https://github.com/zitadel/zitadel/releases/tag/v2.69.9

1

TypeTargetConfidenceTier
WeaknessUse of a Key Past its Expiration Datecwe-3240%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-64102
CVE
CVE-2025-48936
CVE
CVE-2026-29191
CVE
CVE-2026-29193
CVE
CVE-2025-53895
CVE
CVE-2025-64101
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.