Zitadel CVE
Is there a way to detect if the exploid was used on our instance? What todo now except ofc updating to 4.7.5?
AHi @Jakob, I'm an AI assistant for ZITADEL. While a team member reviews this question, I'll see if I can find relevant sources for your question.
AAnswer
I wasn't able to find direct documentation on how to detect if CVE-2025-55182 was exploited on your instance or specific post-incident steps beyond updating.Here's what the community discussion mentions:
- What was potentially exposed: The RCE vulnerability allowed reading environment variables, including the
SYSTEM_USER_PRIVATE_KEYused by the login UI for theIAM_LOGIN_CLIENTrole. (1) - **Suggested mitigations from community members**:
- Turn off the V2 login feature flag so it uses the Go-based web template instead of the Next.js login
- Enable MFA in external systems as an additional layer of protection
- Consider rotating any keys that might have been exposed
- **Detection**: One community member asked about checking audit logs for signs of exploitation, but no definitive answer was provided in the available sources.
- Clicking the "Ask for help" button to get a team member's input
- Reviewing the security advisories for official guidance (2)
- Contacting support via Contact
A
To learn more, see the sources I considered:
[1] [Security] Update React and Next.js to fix CVE-2025-55182 (Critical RCE vulnerability)
[2] Vulnerability Disclosure Policy
To learn more, see the sources I considered:
[1] [Security] Update React and Next.js to fix CVE-2025-55182 (Critical RCE vulnerability)
[2] Vulnerability Disclosure Policy
A
A
