Changelog

ZITADEL
Back to all versions

4.7.5

2025-12-12
patch

CRITICAL SECURITY RELEASE - Immediate upgrade required for all installations. This release addresses four CVEs including a confirmed exploitable unauthenticated RCE vulnerability (CVE-2025-55182) that allows private key extraction. All installations running the new login frontend must be considered potentially compromised.

Security 4

  • Fixed CVE-2025-55182 - Critical RCE vulnerability in React Server Components (#11143, #11140) critical
    Addressed critical unauthenticated Remote Code Execution vulnerability in React Server Components. This vulnerability allowed attackers to extract private keys and environment variables without authentication. All installations with the new login frontend were potentially compromised.
    react login
  • Fixed CVE-2025-66478 - Security vulnerability in Next.js (#11143, #11140) high
    Addressed security vulnerability in Next.js by updating to patched version
    next.js
  • Fixed CVE-2025-55184 - Security vulnerability in Next.js (#11179, #11140) high
    Addressed additional security vulnerability in Next.js by updating to version 15.5.9
    next.js login
  • Fixed CVE-2025-55183 - Security vulnerability in Next.js (#11179, #11140) high
    Addressed additional security vulnerability in Next.js by updating to version 15.5.9
    next.js login

Bug Fixes 2

  • Updated qrcode-react package (#11143) low
    Updated qrcode-react dependency as part of security update
    dependencies
  • Synced eslint-config-next to version 15.5.9 (#11179) low
    Manually synced eslint-config-next to match Next.js version for compatibility
    dependencies linting

Deprecations 1

  • Removed experimental dynamicIO flag (#11143)
    Removed experimental flag dynamicIO as part of Next.js update, replaced with useCache flag
    configuration

Maintenance & Chores 3

  • Updated React to version 19.1.2 (#11143, #11140)
    Updated React and React-DOM to patched version 19.1.2 to address critical security vulnerabilities
    dependencies react
  • Updated Next.js to version 15.5.9 (#11143, #11179, #11140)
    Updated Next.js from 15.5.7 to 15.5.9 to address multiple security vulnerabilities in the login component
    dependencies next.js login
  • Added useCache configuration flag (#11143)
    Added useCache flag to replace deprecated dynamicIO experimental flag
    configuration

Contributors 7

P @PhenixH P @peintnermax G @gloammer T @Tolsto G @Givemeurcookies M @manuel-ernesto R @rajatcing

Upgrade Warnings

  • All installations with the new login frontend running versions prior to 4.7.5 must be considered compromised
  • CVE-2025-55182 is a confirmed exploitable unauthenticated RCE vulnerability with CVSS score 10.0
  • Private key extraction has been confirmed by community members using public exploits
  • IAM_LOGIN_CLIENT role has extensive permissions that could be abused if credentials are compromised
Compare Changes