CVE-2025-57770
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-08-22

Last updated on: 2025-08-27

Assigner: GitHub, Inc.

Description
The open-source identity infrastructure software Zitadel allows administrators to disable the user self-registration. Versions 4.0.0 to 4.0.2, 3.0.0 to 3.3.6, and all versions prior to 2.71.15 are vulnerable to a username enumeration issue in the login interface. The login UI includes a security feature, Ignoring unknown usernames, that is intended to prevent username enumeration by returning a generic response for both valid and invalid usernames. This vulnerability allows an unauthenticated attacker to bypass this protection by submitting arbitrary userIDs to the select account page and distinguishing between valid and invalid accounts based on the system's response. For effective exploitation, an attacker needs to iterate through possible userIDs, but the impact can be limited by implementing rate limiting or similar measures. The issue has been patched in versions 4.0.3, 3.4.0, and 2.71.15.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-08-22
Last Modified
2025-08-27
Generated
2026-05-06
AI Q&A
2025-08-22
EPSS Evaluated
2026-05-05
NVD
CVE-2025-57770
EUVD
EUVD-2025-25596
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
zitadel zitadel to 2.71.15 (exc)
zitadel zitadel From 3.0.0 (inc) to 3.4.0 (exc)
zitadel zitadel From 4.0.0 (inc) to 4.0.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-203 The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is a username enumeration issue in the Zitadel login interface. Although Zitadel has a security feature that returns generic responses to prevent attackers from distinguishing valid usernames, an unauthenticated attacker can bypass this by submitting arbitrary userIDs to the select account page. By analyzing the system's responses, the attacker can determine which usernames are valid. Exploitation requires iterating through possible userIDs, and the impact can be limited by rate limiting or similar measures.


How can this vulnerability impact me? :

The vulnerability allows an attacker to discover valid usernames in the system without authentication. This can facilitate further attacks such as targeted phishing, password guessing, or social engineering. However, the impact is limited to information disclosure of valid usernames and does not directly affect data integrity or availability.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, you should upgrade Zitadel to a patched version: 4.0.3, 3.4.0, or 2.71.15 or later. Additionally, implementing rate limiting or similar measures on the login interface can help limit the impact of username enumeration attempts.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart