{"id":"CVE-2024-49753","summary":"Denied Host Validation Bypass in Zitadel Actions","details":"Zitadel is open-source identity infrastructure software. Versions prior to 2.64.1, 2.63.6, 2.62.8, 2.61.4, 2.60.4, 2.59.5, and 2.58.7 have a flaw in the URL validation mechanism of Zitadel actions allows bypassing restrictions intended to block requests to localhost (127.0.0.1). The isHostBlocked check, designed to prevent such requests, can be circumvented by creating a DNS record that resolves to 127.0.0.1. This enables actions to send requests to localhost despite the intended security measures. This vulnerability potentially allows unauthorized access to unsecured internal endpoints, which may contain sensitive information or functionalities. Versions 2.64.1, 2.63.6, 2.62.8, 2.61.4, 2.60.4, 2.59.5, and 2.58.7 contain a patch. No known workarounds are available.","aliases":["GHSA-6cf5-w9h3-4rqv","GO-2024-3216"],"modified":"2026-04-10T05:18:02.612759Z","published":"2024-10-25T14:11:44.092Z","related":["SUSE-SU-2024:3911-1","openSUSE-SU-2024:0350-1","openSUSE-SU-2024:14447-1"],"database_specific":{"cwe_ids":["CWE-20"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/49xxx/CVE-2024-49753.json","cna_assigner":"GitHub_M"},"references":[{"type":"WEB","url":"https://github.com/zitadel/zitadel/releases/tag/v2.58.7"},{"type":"WEB","url":"https://github.com/zitadel/zitadel/releases/tag/v2.59.5"},{"type":"WEB","url":"https://github.com/zitadel/zitadel/releases/tag/v2.60.4"},{"type":"WEB","url":"https://github.com/zitadel/zitadel/releases/tag/v2.61.4"},{"type":"WEB","url":"https://github.com/zitadel/zitadel/releases/tag/v2.62.8"},{"type":"WEB","url":"https://github.com/zitadel/zitadel/releases/tag/v2.63.6"},{"type":"WEB","url":"https://github.com/zitadel/zitadel/releases/tag/v2.64.1"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/49xxx/CVE-2024-49753.json"},{"type":"ADVISORY","url":"https://github.com/zitadel/zitadel/security/advisories/GHSA-6cf5-w9h3-4rqv"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-49753"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/zitadel/zitadel","events":[{"introduced":"539e8ed5cc51eea3285778ca05ca913559e32a71"},{"fixed":"7508e6c9f36f3e1968c873b7dd7853077e4c8cd8"}],"database_specific":{"versions":[{"introduced":"2.64"},{"fixed":"2.64.1"}]}},{"type":"GIT","repo":"https://github.com/zitadel/zitadel","events":[{"introduced":"1e649e856f2a520ebae898ec5690163fde742930"},{"fixed":"b86847157fe677c5f24d3f5a075876162209a326"}],"database_specific":{"versions":[{"introduced":"2.63"},{"fixed":"2.63.6"}]}},{"type":"GIT","repo":"https://github.com/zitadel/zitadel","events":[{"introduced":"6210239ed5b8c92bc63d14d050137d2985e99bce"},{"fixed":"43bdd8b1d40a090a825cd14b0208f0ea23b40035"}],"database_specific":{"versions":[{"introduced":"2.62"},{"fixed":"2.62.8"}]}},{"type":"GIT","repo":"https://github.com/zitadel/zitadel","events":[{"introduced":"937f683ce5ac64b477411ab198880729b966c6e1"},{"fixed":"1f6907e5da365725e3381960739622c55cad8eb5"}],"database_specific":{"versions":[{"introduced":"2.61"},{"fixed":"2.61.4"}]}},{"type":"GIT","repo":"https://github.com/zitadel/zitadel","events":[{"introduced":"c667ab7047bf9707f2377f633ed3e1255c70a726"},{"fixed":"f583925f12072fadb02b6c931f04139c57d6dee1"}],"database_specific":{"versions":[{"introduced":"2.60"},{"fixed":"2.60.4"}]}},{"type":"GIT","repo":"https://github.com/zitadel/zitadel","events":[{"introduced":"bdae824e8c6581e45407ebdefbff785eb66a1ebd"},{"fixed":"c1d4df90e6ef3559581b1ed95a79fcc107cb95f3"}],"database_specific":{"versions":[{"introduced":"2.59"},{"fixed":"2.59.5"}]}},{"type":"GIT","repo":"https://github.com/zitadel/zitadel","events":[{"introduced":"0"},{"fixed":"51c7978b34fbc77a9f5a541412384bea732da792"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"2.58.7"}]}}],"versions":["2.20.0","cnsl-feature-dev","feat-new-mail-templates-dev","v0.0.0","v0.1.0","v0.10.0","v0.11.0","v0.119.0","v0.119.1","v0.119.2","v0.119.3","v0.119.4","v0.119.5","v0.119.6","v0.12.0","v0.120.0","v0.120.1","v0.121.0","v0.121.1","v0.121.2","v0.122.0","v0.122.1","v0.122.2","v0.122.3","v0.122.4","v0.122.5","v0.123.0","v0.123.1","v0.123.2","v0.123.3","v0.123.4","v0.123.5","v0.124.0","v0.13.0","v0.14.0","v0.15.0","v0.16.0","v0.17.0","v0.17.1","v0.18.0","v0.18.1","v0.18.2","v0.18.3","v0.19.0","v0.2.0","v0.20.0","v0.20.1","v0.20.2","v0.21.0","v0.22.0","v0.22.1","v0.22.2","v0.22.3","v0.22.4","v0.22.5","v0.22.6","v0.22.7","v0.23.0","v0.23.1","v0.24.0","v0.24.1","v0.24.2","v0.24.3","v0.25.0","v0.25.1","v0.26.0","v0.27.0","v0.28.0","v0.29.0","v0.29.1","v0.3.0","v0.3.1","v0.30.0","v0.30.1","v0.31.0","v0.31.1","v0.31.2","v0.31.3","v0.32.0","v0.32.1","v0.32.2","v0.33.0","v0.33.1","v0.33.2","v0.33.3","v0.33.4","v0.33.5","v0.34.0","v0.35.0","v0.35.1","v0.35.2","v0.36.0","v0.37.0","v0.38.0","v0.39.0","v0.39.1","v0.4.0","v0.4.1","v0.40.0","v0.40.1","v0.40.2","v0.40.3","v0.40.4","v0.41.0","v0.41.1","v0.42.0","v0.42.1","v0.42.2","v0.42.3","v0.42.4","v0.43.0","v0.43.1","v0.43.2","v0.44.0","v0.44.1","v0.44.2","v0.44.3","v0.45.0","v0.46.0","v0.46.1","v0.47.0","v0.47.1","v0.47.2","v0.47.3","v0.47.4","v0.47.5","v0.48.0","v0.49.0","v0.49.1","v0.5.0","v0.50.0","v0.51.0","v0.51.1","v0.52.0","v0.53.0","v0.53.1","v0.53.2","v0.53.3","v0.53.4","v0.53.5","v0.54.0","v0.54.1","v0.54.2","v0.54.3","v0.54.4","v0.54.5","v0.55.0","v0.55.1","v0.55.10","v0.55.11","v0.55.12","v0.55.13","v0.55.2","v0.55.3","v0.55.4","v0.55.5","v0.55.6","v0.55.7","v0.55.8","v0.55.9","v0.56.0","v0.56.1","v0.57.0","v0.57.1","v0.57.2","v0.58.0","v0.59.0","v0.59.1","v0.6.0","v0.60.0","v0.60.1","v0.61.0","v0.61.1","v0.61.2","v0.61.3","v0.61.4","v0.62.0","v0.63.0","v0.63.1","v0.64.0","v0.64.1","v0.64.2","v0.64.3","v0.64.4","v0.64.5","v0.64.6","v0.64.7","v0.65.0","v0.66.0","v0.66.1","v0.67.0","v0.67.1","v0.67.2","v0.68.0","v0.69.0","v0.69.1","v0.7.0","v0.70.0","v0.70.1","v0.71.0","v0.72.0","v0.73.0","v0.74.0","v0.74.1","v0.74.2","v0.74.3","v0.74.4","v0.75.0","v0.75.1","v0.75.2","v0.75.3","v0.75.4","v0.75.5","v0.76.0","v0.76.1","v0.76.2","v0.76.3","v0.77.0","v0.77.1","v0.77.2","v0.77.3","v0.77.4","v0.77.5","v0.78.0","v0.78.1","v0.78.2","v0.79.0","v0.8.0","v0.80.0","v0.80.1","v0.80.2","v0.81.0","v0.81.1","v0.81.2","v0.81.3","v0.81.4","v0.81.5","v0.81.6","v0.82.0","v0.82.1","v0.82.2","v0.82.3","v0.82.4","v0.83.0","v0.83.1","v0.83.2","v0.83.3","v0.83.4","v0.83.5","v0.83.6","v0.84.0","v0.84.1","v0.84.2","v0.84.3","v0.84.4","v0.85.0","v0.85.1","v0.85.2","v0.85.3","v0.85.4","v0.86.0","v0.86.1","v0.86.2","v0.87.0","v0.87.1","v0.88.0","v0.88.1","v0.88.2","v0.88.3","v0.9.0","v1-events-queries-dev","v1.0.0","v1.0.1","v1.0.2","v1.0.3","v1.0.4","v1.1.0","v1.10.0","v1.10.1","v1.10.2","v1.10.3","v1.10.4","v1.10.5","v1.11.0","v1.11.1","v1.12.0","v1.12.1","v1.12.2","v1.12.3","v1.12.4","v1.12.5","v1.12.6","v1.12.7","v1.13.0","v1.14.0","v1.14.1","v1.15.0","v1.15.1","v1.16.0","v1.16.1","v1.16.2","v1.16.3","v1.16.4","v1.16.5","v1.16.6","v1.16.7","v1.16.8","v1.17.0","v1.17.1","v1.17.2","v1.17.3","v1.17.4","v1.17.5","v1.17.6","v1.17.7","v1.18.0","v1.18.1","v1.19.0","v1.19.1","v1.19.2","v1.19.3","v1.19.4","v1.2.0","v1.2.1","v1.2.2","v1.2.3","v1.2.4","v1.2.5","v1.2.6","v1.2.7","v1.20.0","v1.20.1","v1.20.2","v1.20.3","v1.20.4","v1.20.5","v1.21.0","v1.21.1","v1.21.2","v1.21.3","v1.21.4","v1.22.0","v1.22.1","v1.22.10","v1.22.11","v1.22.12","v1.22.13","v1.22.2","v1.22.3","v1.22.4","v1.22.5","v1.22.6","v1.22.7","v1.22.8","v1.22.9","v1.23.0","v1.23.1","v1.23.2","v1.23.3","v1.23.4","v1.23.5","v1.24.0","v1.24.1","v1.24.2","v1.25.0","v1.25.1","v1.26.0","v1.26.1","v1.27.0","v1.27.1","v1.27.2","v1.27.3","v1.27.4","v1.28.0","v1.28.1","v1.28.2","v1.28.3","v1.28.4","v1.29.0","v1.29.1","v1.29.2","v1.29.3","v1.29.4","v1.29.5","v1.29.6","v1.3.0","v1.30.0","v1.30.1","v1.30.2","v1.31.0","v1.31.1","v1.32.0","v1.32.1","v1.32.2","v1.32.3","v1.32.4","v1.32.5","v1.33.0","v1.33.1","v1.34.0","v1.34.1","v1.34.10","v1.34.11","v1.34.2","v1.34.3","v1.34.4","v1.34.5","v1.34.6","v1.34.7","v1.34.8","v1.34.9","v1.35.0","v1.35.1","v1.36.0","v1.37.0","v1.38.0","v1.39.0","v1.39.1","v1.4.0","v1.40.0","v1.41.0","v1.41.1","v1.41.2","v1.41.3","v1.41.4","v1.42.0","v1.42.1","v1.42.2","v1.43.0","v1.43.1","v1.43.2","v1.43.3","v1.43.4","v1.44.0","v1.44.1","v1.44.2","v1.44.3","v1.45.0","v1.45.1","v1.45.2","v1.45.3","v1.45.4","v1.45.5","v1.45.6","v1.46.0","v1.46.1","v1.46.2","v1.46.3","v1.46.4","v1.47.0","v1.47.1","v1.47.2","v1.47.3","v1.47.4","v1.47.5","v1.47.6","v1.48.0","v1.48.1","v1.48.2","v1.48.3","v1.48.4","v1.48.5","v1.48.6","v1.48.7","v1.48.8","v1.49.0","v1.49.1","v1.5.0","v1.5.1","v1.5.2","v1.5.3","v1.50.0","v1.50.1","v1.50.2","v1.50.3","v1.50.4","v1.51.0","v1.52.0","v1.52.1","v1.52.2","v1.53.0","v1.53.1","v1.53.2","v1.54.0","v1.54.1","v1.54.10","v1.54.2","v1.54.3","v1.54.4","v1.54.5","v1.54.6","v1.54.7","v1.54.8","v1.54.9","v1.55.0","v1.55.1","v1.55.2","v1.56.0","v1.56.1","v1.56.10","v1.56.11","v1.56.12","v1.56.13","v1.56.14","v1.56.15","v1.56.16","v1.56.17","v1.56.18","v1.56.19","v1.56.2","v1.56.20","v1.56.21","v1.56.22","v1.56.3","v1.56.4","v1.56.5","v1.56.6","v1.56.7","v1.56.8","v1.56.9","v1.57.0","v1.57.1","v1.58.0","v1.59.0","v1.59.1","v1.59.2","v1.59.3","v1.6.0","v1.6.1","v1.6.2","v1.6.3","v1.6.4","v1.6.5","v1.60.0","v1.60.1","v1.60.2","v1.60.3","v1.61.0","v1.62.0","v1.62.1","v1.62.2","v1.63.0","v1.64.0","v1.65.0","v1.66.0","v1.66.1","v1.66.2","v1.66.3","v1.66.4","v1.66.5","v1.66.6","v1.66.7","v1.66.8","v1.66.9","v1.67.0","v1.67.1","v1.68.0","v1.68.1","v1.69.0","v1.69.1","v1.69.2","v1.69.3","v1.69.4","v1.69.5","v1.69.6","v1.69.7","v1.69.8","v1.7.0","v1.7.1","v1.7.2","v1.7.3","v1.7.4","v1.70.0","v1.70.1","v1.70.2","v1.71.0","v1.71.1","v1.71.2","v1.72.0","v1.72.1","v1.73.0","v1.73.1","v1.73.2","v1.73.3","v1.73.4","v1.74.0","v1.75.0","v1.75.1","v1.75.2","v1.75.3","v1.75.4","v1.75.5","v1.75.6","v1.75.7","v1.75.8","v1.76.0","v1.76.1","v1.76.2","v1.77.0","v1.77.1","v1.77.2","v1.78.0","v1.79.0","v1.8.0","v1.8.1","v1.8.2","v1.8.3","v1.8.4","v1.80.0-v2.1","v1.80.0-v2.10","v1.80.0-v2.11","v1.80.0-v2.12","v1.80.0-v2.13","v1.80.0-v2.14","v1.80.0-v2.15","v1.80.0-v2.16","v1.80.0-v2.17","v1.80.0-v2.18","v1.80.0-v2.19","v1.80.0-v2.2","v1.80.0-v2.20","v1.80.0-v2.3","v1.80.0-v2.4","v1.80.0-v2.5","v1.80.0-v2.6","v1.80.0-v2.7","v1.80.0-v2.8","v1.80.0-v2.9","v1.9.0","v1.9.1","v1.9.2","v2.0.0","v2.0.0-v2-alpha.1","v2.0.0-v2-alpha.10","v2.0.0-v2-alpha.11","v2.0.0-v2-alpha.12","v2.0.0-v2-alpha.13","v2.0.0-v2-alpha.14","v2.0.0-v2-alpha.15","v2.0.0-v2-alpha.16","v2.0.0-v2-alpha.17","v2.0.0-v2-alpha.18","v2.0.0-v2-alpha.19","v2.0.0-v2-alpha.2","v2.0.0-v2-alpha.20","v2.0.0-v2-alpha.21","v2.0.0-v2-alpha.22","v2.0.0-v2-alpha.23","v2.0.0-v2-alpha.24","v2.0.0-v2-alpha.25","v2.0.0-v2-alpha.26","v2.0.0-v2-alpha.27","v2.0.0-v2-alpha.28","v2.0.0-v2-alpha.29","v2.0.0-v2-alpha.3","v2.0.0-v2-alpha.30","v2.0.0-v2-alpha.31","v2.0.0-v2-alpha.32","v2.0.0-v2-alpha.33","v2.0.0-v2-alpha.34","v2.0.0-v2-alpha.35","v2.0.0-v2-alpha.36","v2.0.0-v2-alpha.37","v2.0.0-v2-alpha.38","v2.0.0-v2-alpha.39","v2.0.0-v2-alpha.4","v2.0.0-v2-alpha.40","v2.0.0-v2-alpha.41","v2.0.0-v2-alpha.42","v2.0.0-v2-alpha.43","v2.0.0-v2-alpha.44","v2.0.0-v2-alpha.5","v2.0.0-v2-alpha.6","v2.0.0-v2-alpha.7","v2.0.0-v2-alpha.8","v2.0.0-v2-alpha.9","v2.0.1","v2.1.0","v2.1.1","v2.10.0","v2.11.0","v2.11.1","v2.12.0","v2.13.0","v2.13.1","v2.14.0","v2.14.1","v2.14.2","v2.14.3","v2.14.4","v2.14.5","v2.15.0","v2.16.0","v2.16.1","v2.17.0","v2.17.1","v2.18.0","v2.19.0","v2.2.0","v2.20.0","v2.21.0","v2.22.0","v2.22.1","v2.22.2","v2.23.0","v2.23.1","v2.24.0","v2.25.0","v2.25.1","v2.25.2","v2.25.3","v2.26.0","v2.26.1","v2.26.2","v2.27.0","v2.27.1","v2.28.0","v2.28.1","v2.29.0","v2.29.1","v2.29.2","v2.29.3","v2.3.0","v2.3.1","v2.3.2","v2.3.3","v2.3.4","v2.30.0","v2.31.0","v2.31.1","v2.31.2","v2.31.3","v2.31.4","v2.31.5","v2.32.0","v2.33.0","v2.33.1","v2.34.0","v2.34.1","v2.35.0","v2.35.1","v2.36.0","v2.36.1","v2.36.2","v2.36.3","v2.37.0","v2.37.1","v2.37.2","v2.37.3","v2.38.0","v2.38.1","v2.39.0","v2.39.1","v2.39.2","v2.39.3","v2.4.0","v2.40.0","v2.40.1","v2.40.2","v2.40.3","v2.40.4","v2.40.5","v2.41.0","v2.41.1","v2.41.2","v2.41.3","v2.41.4","v2.41.5","v2.42.0","v2.42.1","v2.42.2","v2.42.3","v2.43.0","v2.43.1","v2.43.2","v2.43.3","v2.43.4","v2.43.5","v2.44.0","v2.44.1","v2.44.2","v2.45.0","v2.46.0","v2.47.0","v2.47.1","v2.47.2","v2.47.3","v2.47.4","v2.47.5","v2.47.6","v2.48.0","v2.48.1","v2.48.2","v2.48.3","v2.49.0","v2.49.1","v2.49.2","v2.49.3","v2.5.0","v2.5.1","v2.50.0","v2.50.1","v2.50.2","v2.50.3","v2.50.4","v2.50.5","v2.51.0","v2.51.1","v2.51.2","v2.51.3","v2.51.4","v2.52.0","v2.52.1","v2.53.0","v2.53.1","v2.53.2","v2.54.0","v2.54.1","v2.54.2","v2.54.3","v2.55.0","v2.55.1","v2.55.2","v2.56.0","v2.56.1","v2.57.0","v2.58.0","v2.58.1","v2.58.2","v2.58.3","v2.58.4","v2.58.5","v2.58.6","v2.59.0","v2.59.1","v2.59.2","v2.59.3","v2.59.4","v2.6.0","v2.60.0","v2.60.1","v2.60.2","v2.60.3","v2.61.0","v2.61.1","v2.61.2","v2.61.3","v2.62.0","v2.62.1","v2.62.2","v2.62.3","v2.62.4","v2.62.5","v2.62.6","v2.62.7","v2.63.0","v2.63.1","v2.63.2","v2.63.3","v2.63.4","v2.63.5","v2.64.0","v2.7.0","v2.8.0","v2.8.1","v2.8.2","v2.9.0","v2.9.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-49753.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N"}]}