CVE-2025-31123

CVE-2025-31123 is a vulnerability in Zitadel, an open-source identity infrastructure software, where expired JWT keys can be used to retrieve valid access tokens. Specifically, Zitadel fails to properly check the expiration date of JWT keys during Authorization Grants, enabling this bypass. The issue does not affect JWT Profile usage for OAuth 2.0 Client Authentication on Token and Introspection endpoints, which correctly reject expired keys. It carries a CVSS score of 8.7 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N) and maps to CWE-324 (Missing Required Cryptographic Step).

Exploitation requires high privileges (PR:H) and is network-accessible (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). A privileged attacker possessing an expired JWT key—such as a service account or authorized client—can submit it for Authorization Grants to obtain fresh, valid access tokens. This leads to high confidentiality (C:H) and integrity (I:H) impacts with scope expansion (S:C), potentially allowing unauthorized access to protected resources.

The vulnerability is addressed in Zitadel releases 2.71.6, 2.70.8, 2.69.9, 2.68.9, 2.67.13, 2.66.16, 2.65.7, 2.64.6, and 2.63.9. Mitigation involves upgrading to one of these patched versions. The fixing commit is at https://github.com/zitadel/zitadel/commit/315503beabd679f2e6aec0c004f0f9d2f5b53ed3, with release details at the corresponding tags such as https://github.com/zitadel/zitadel/releases/tag/v2.63.9.