Zitadel Discloses the Total Number of Instance Users_CVE-2025-67717

5.3 / 10

MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Description

ZITADEL is an open-source identity infrastructure tool. Versions 2.44.0 through 3.4.4 and 4.0.0-rc.1 through 4.7.1 disclose the total number of instance users to authenticated users, regardless of their specific permissions. While this does not leak individual user data or PII, disclosing the total user count via the totalResult field constitutes an information disclosure vulnerability that may be sensitive in certain contexts. This issue is fixed in versions 3.4.5 and 4.7.2.

Basic Information

ID CVE-2025-67717

Source GitHub_M

Published Dec 11, 2025 at 00:30

Affected Product

Vendor zitadel

Product zitadel

Version < 1.80.0-v2.20.0.20251210

Affected Versions zitadel zitadel < 1.80.0-v2.20.0.20251210
zitadel zitadel >= 2.44.0, < 3.4.5
zitadel zitadel >= 4.0.0-rc.1, < 4.7.2

CWE Classification

CWE-497

References

{
    "lastseen": "",
    "description": "ZITADEL is an open-source identity infrastructure tool. Versions 2.44.0 through 3.4.4 and 4.0.0-rc.1 through 4.7.1 disclose the total number of instance users to authenticated users, regardless of their specific permissions. While this does not leak individual user data or PII, disclosing the total user count via the totalResult field constitutes an information disclosure vulnerability that may be sensitive in certain contexts. This issue is fixed in versions 3.4.5 and 4.7.2.",
    "published": "2025-12-11T00:30:19.192Z",
    "modified": "2025-12-11T00:30:19.192Z",
    "type": "cve",
    "title": "Zitadel Discloses the Total Number of Instance Users",
    "source": "GitHub_M",
    "references": "https://github.com/zitadel/zitadel/security/advisories/GHSA-f4cf-9rvr-2rcx\nhttps://github.com/zitadel/zitadel/commit/826039c6208fe71df57b3a94c982b5ac5b0af12c",
    "id": "CVE-2025-67717",
    "bulletinFamily": "",
    "cwe": [
        "CWE-497"
    ],
    "cvelist": null,
    "sourceData": "zitadel zitadel < 1.80.0-v2.20.0.20251210\nzitadel zitadel >= 2.44.0, < 3.4.5\nzitadel zitadel >= 4.0.0-rc.1, < 4.7.2",
    "sourceHref": "",
    "cvss": {
        "score": 5.3,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "zitadel",
    "version": "< 1.80.0-v2.20.0.20251210",
    "vendor": "zitadel",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}