Executive Summary

CVE-2025-58442 is a user enumeration vulnerability in the Saleor e-commerce platform versions 3.21.0 up to but not including 3.21.16. The vulnerability occurs because the accountRegister GraphQL mutation returns different error messages or exposes user IDs depending on whether an email address already exists in the system. This discrepancy allows attackers to determine if a user with a specific email exists by analyzing the mutation's response, effectively leaking user existence information. The issue arises from observable response discrepancies that reveal internal state information to unauthorized actors. The vulnerability was fixed in version 3.21.16 by introducing a flag to mark newly created users and modifying GraphQL resolvers to avoid returning user IDs or sensitive data during registration. [2, 3, 4]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by allowing attackers to confirm whether specific email addresses are registered users on your Saleor platform. This user enumeration can lead to privacy violations and targeted attacks such as phishing or credential stuffing. Attackers can collect valid user email lists, which may be used for further malicious activities. Although the vulnerability does not directly affect data integrity or availability, it compromises confidentiality by leaking user existence information. The CVSS score of 5.3 indicates moderate severity. Mitigation involves upgrading to Saleor version 3.21.16 or later, or applying rate-limiting on the accountRegister mutation as a temporary workaround. [2, 1]

Useful 0 Not Useful 0

Compliance Impact

This vulnerability can negatively affect compliance with data protection regulations such as GDPR and HIPAA because it allows unauthorized disclosure of user existence information, which is considered personal data. By enabling attackers to enumerate valid user email addresses, it increases the risk of privacy breaches and unauthorized access to personal information. Organizations subject to these regulations must protect user data confidentiality, and this vulnerability represents a failure to adequately safeguard such information. Therefore, until patched, the vulnerability could lead to non-compliance issues related to data confidentiality and breach notification requirements. [2]

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by observing the responses of the `accountRegister` GraphQL mutation in Saleor versions >=3.21.0 and <3.21.16. Specifically, sending registration requests with different email addresses and analyzing the error messages or returned data can reveal whether a user with a given email exists. To detect this on your system, you can perform GraphQL mutation requests to the `accountRegister` endpoint with various emails and compare the responses for discrepancies that indicate user enumeration. Example command using curl to test the mutation (replace <URL> with your Saleor GraphQL endpoint): curl -X POST <URL> -H "Content-Type: application/json" -d '{"query": "mutation { accountRegister(input: {email: \"[email protected]\", password: \"Password123!\"}) { user { id email } } }"}' By comparing responses for existing and non-existing emails, you can detect if the vulnerability is present. [2]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate recommended mitigation is to upgrade Saleor to version 3.21.16 or later, where the vulnerability is fixed. If upgrading immediately is not possible, you should implement rate-limiting on the `accountRegister` mutation to reduce the risk of exploitation by limiting the number of registration attempts and thus reducing the ability to enumerate users. This helps mitigate the impact until the patch can be applied. [2, 1]

Useful 0 Not Useful 0