GHSA-wxg7-w2v3-w38g

### Summary

Two closely related token lifecycle validation vulnerabilities were discovered in ZITADEL's external JWT Identity Provider (IdP) implementation.

Specifically, within the validation pipeline:

* **Missing Expiration (`exp`) Enforcement:** If an incoming JWT omits the `exp` claim entirely, the expiration block is silently skipped rather than rejected. The token is treated as valid forever. * **Missing Issued-At (`iat`) Enforcement:** ZITADEL enforces a 1-hour freshness window (`maxAge`) via the token's issue time. However, this safety check is guarded by a presence condition. If a token omits the `iat` claim, the freshness check is entirely bypassed, allowing arbitrarily old tokens to pass.

Per the OIDC Core 1.0 specification, identity token validation pipelines must strictly handle and enforce session expiration. ZITADEL's silent acceptance of tokens missing these temporal constraints compromises session integrity.

### Impact

An attacker in possession of a token that lacks both `exp` and `iat` claims holds a permanent credential that will never expire and will always be deemed "fresh" by the system. Even without combining both flaws, the absence of an expiration constraint means a leaked token effectively turns into a skeleton key for that user session with no automatic revocation window.

### Affected Versions

Systems running one of the following versions are affected:

* **4.x**: `4.0.0` through `4.15.1` (including RC versions) * **3.x**: `3.0.0` through `3.4.11` (including RC versions)

### Patches

The vulnerability has been addressed in the latest releases. ZITADEL now explicitly rejects tokens that lack an `exp` or `iat` claim.

* **4.x**: Upgrade to $\ge$ [4.15.2](https://github.com/zitadel/zitadel/releases/tag/v4.15.2) * **3.x**: Upgrade to $\ge$ [3.4.12](https://github.com/zitadel/zitadel/releases/tag/v3.4.12)

### Workarounds

The recommended solution is to update ZITADEL to a patched version.

If an immediate upgrade is not feasible, ensure at the Identity Provider level that the external IdP is rigidly configured to enforce short token lifetimes and **explicitly includes** both `exp` and `iat` claims in every single token payload it signs and issues.

### Questions

If you have any questions or comments about this advisory, please email us at [security@zitadel.com](mailto:security@zitadel.com)

### Credits

Thanks to [Android-Login-Analysis](https://github.com/Android-Login-Analysis), Jason Zhou and [Pedro Giglioti](https://github.com/Punisher100) for reporting this vulnerability.