CVE-2025-57770 in Zitadel
Summary
by MITRE • 08/22/2025
The open-source identity infrastructure software Zitadel allows administrators to disable the user self-registration. Versions 4.0.0 to 4.0.2, 3.0.0 to 3.3.6, and all versions prior to 2.71.15 are vulnerable to a username enumeration issue in the login interface. The login UI includes a security feature, Ignoring unknown usernames, that is intended to prevent username enumeration by returning a generic response for both valid and invalid usernames. This vulnerability allows an unauthenticated attacker to bypass this protection by submitting arbitrary userIDs to the select account page and distinguishing between valid and invalid accounts based on the system's response. For effective exploitation, an attacker needs to iterate through possible userIDs, but the impact can be limited by implementing rate limiting or similar measures. The issue has been patched in versions 4.0.3, 3.4.0, and 2.71.15.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 08/22/2025
The vulnerability identified as CVE-2025-57770 affects Zitadel, an open-source identity infrastructure software that provides authentication and authorization services for applications and systems. This issue represents a critical username enumeration flaw that undermines the security of the authentication system by allowing attackers to discover valid user accounts through careful analysis of system responses. The vulnerability specifically impacts versions of Zitadel that implement a login interface with a security feature designed to prevent username enumeration, yet this protection mechanism can be circumvented through targeted exploitation techniques.
The technical flaw manifests in the login user interface where Zitadel implements what should be a robust security measure called "Ignoring unknown usernames" that is intended to return generic responses regardless of whether a username exists in the system. However, attackers can bypass this protection by submitting arbitrary userIDs to the select account page and observing the system's differential responses. This enumeration technique allows unauthorized users to distinguish between valid and invalid accounts based on subtle variations in system behavior, effectively undermining the intended security controls. The vulnerability is particularly concerning because it operates at the authentication layer where attackers can systematically test potential usernames to build a list of valid accounts.
The operational impact of this vulnerability extends beyond simple account discovery, as it creates opportunities for subsequent attacks such as credential stuffing, brute force attempts, and targeted social engineering campaigns. Attackers can leverage the enumerated user accounts to conduct more sophisticated attacks against the compromised system, potentially leading to unauthorized access to sensitive resources and data. The vulnerability's exploitation requires iterative testing of userIDs but can be significantly mitigated through proper rate limiting and other defensive measures that limit the number of authentication attempts within a given time period. Organizations using affected versions of Zitadel face increased risk of account compromise and potential system infiltration.
Security practitioners should note that this vulnerability aligns with CWE-601 and CWE-200 categories, representing URL redirection and information exposure vulnerabilities that can lead to account enumeration. The issue also maps to ATT&CK technique T1078 which involves valid accounts for persistence and access. Organizations should immediately implement rate limiting controls and monitor authentication logs for unusual patterns that might indicate enumeration attempts. The fix provided in versions 4.0.3, 3.4.0, and 2.71.15 addresses the core issue by properly implementing the username enumeration protection mechanism. System administrators should prioritize updating to these patched versions while maintaining ongoing monitoring of authentication systems for potential exploitation attempts. The vulnerability serves as a reminder of the critical importance of proper input validation and response handling in authentication systems, particularly when implementing security features designed to prevent information leakage.