Zitadel up to 2.71.5 Ignoring Unknown Usernames information exposure

Summaryinfo

A vulnerability categorized as problematic has been discovered in Zitadel up to 2.71.5. Affected by this issue is some unknown functionality of the component Ignoring Unknown Usernames Handler. The manipulation results in information exposure. This vulnerability is identified as CVE-2025-31124. The attack can be executed remotely. There is not any exploit available. It is advisable to upgrade the affected component.

Detailsinfo

A vulnerability was found in Zitadel up to 2.71.5. It has been classified as problematic. Affected is an unknown functionality of the component Ignoring Unknown Usernames Handler. The manipulation with an unknown input leads to a information exposure vulnerability. CWE is classifying the issue as CWE-203. The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not. This is going to have an impact on confidentiality. CVE summarizes:

Zitadel is open-source identity infrastructure software. ZITADEL administrators can enable a setting called "Ignoring unknown usernames" which helps mitigate attacks that try to guess/enumerate usernames. If enabled, ZITADEL will show the password prompt even if the user doesn't exist and report "Username or Password invalid". While the setting was correctly respected during the login flow, the user's username was normalized leading to a disclosure of the user's existence. This vulnerability is fixed in 2.71.6, 2.70.8, 2.69.9, 2.68.9, 2.67.13, 2.66.16, 2.65.7, 2.64.6, and 2.63.9.

The advisory is available at github.com. This vulnerability is traded as CVE-2025-31124 since 03/26/2025. The exploitability is told to be easy. It is possible to launch the attack remotely. The exploitation doesn't require any form of authentication. The technical details are unknown and an exploit is not available. This vulnerability is assigned to T1592 by the MITRE ATT&CK project.

Upgrading to version 2.63.9, 2.64.6, 2.65.7, 2.66.16, 2.67.13, 2.68.9, 2.69.9, 2.70.8 or 2.71.6 eliminates this vulnerability. The upgrade is hosted for download at github.com. Applying the patch 14de8ecac2afafee4975ed7ac26f3ca4a2b0f82c is able to eliminate this problem. The bugfix is ready for download at github.com. The best possible mitigation is suggested to be upgrading to the latest version.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Productinfo

Name

• Zitadel

Version

• 2.63.0
• 2.63.1
• 2.63.2
• 2.63.3
• 2.63.4
• 2.63.5
• 2.63.6
• 2.63.7
• 2.63.8
• 2.64.0
• 2.64.1
• 2.64.2
• 2.64.3
• 2.64.4
• 2.64.5
• 2.65.0
• 2.65.1
• 2.65.2
• 2.65.3
• 2.65.4
• 2.65.5
• 2.65.6
• 2.66.0
• 2.66.1
• 2.66.2
• 2.66.3
• 2.66.4
• 2.66.5
• 2.66.6
• 2.66.7
• 2.66.8
• 2.66.9
• 2.66.10
• 2.66.11
• 2.66.12
• 2.66.13
• 2.66.14
• 2.66.15
• 2.67.0
• 2.67.1
• 2.67.2
• 2.67.3
• 2.67.4
• 2.67.5
• 2.67.6
• 2.67.7
• 2.67.8
• 2.67.9
• 2.67.10
• 2.67.11
• 2.67.12
• 2.68.0
• 2.68.1
• 2.68.2
• 2.68.3
• 2.68.4
• 2.68.5
• 2.68.6
• 2.68.7
• 2.68.8
• 2.69.0
• 2.69.1
• 2.69.2
• 2.69.3
• 2.69.4
• 2.69.5
• 2.69.6
• 2.69.7
• 2.69.8
• 2.70.0
• 2.70.1
• 2.70.2
• 2.70.3
• 2.70.4
• 2.70.5
• 2.70.6
• 2.70.7
• 2.71.0
• 2.71.1
• 2.71.2
• 2.71.3
• 2.71.4
• 2.71.5

License

• open-source

Website

• Product: https://github.com/zitadel/zitadel/

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Discussion