Zitadel up to 2.71.14/3.3.x/4.0.2 Login Interface information exposure

Summaryinfo

A vulnerability classified as problematic has been found in Zitadel up to 2.71.14/3.3.x/4.0.2. This affects an unknown function of the component Login Interface. The manipulation leads to information exposure. This vulnerability is documented as CVE-2025-57770. The attack can be initiated remotely. There is not any exploit available. It is recommended to upgrade the affected component.

Detailsinfo

A vulnerability, which was classified as problematic, has been found in Zitadel up to 2.71.14/3.3.x/4.0.2. This issue affects some unknown processing of the component Login Interface. The manipulation with an unknown input leads to a information exposure vulnerability. Using CWE to declare the problem leads to CWE-203. The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not. Impacted is confidentiality. The summary by CVE is:

The open-source identity infrastructure software Zitadel allows administrators to disable the user self-registration. Versions 4.0.0 to 4.0.2, 3.0.0 to 3.3.6, and all versions prior to 2.71.15 are vulnerable to a username enumeration issue in the login interface. The login UI includes a security feature, Ignoring unknown usernames, that is intended to prevent username enumeration by returning a generic response for both valid and invalid usernames. This vulnerability allows an unauthenticated attacker to bypass this protection by submitting arbitrary userIDs to the select account page and distinguishing between valid and invalid accounts based on the system's response. For effective exploitation, an attacker needs to iterate through possible userIDs, but the impact can be limited by implementing rate limiting or similar measures. The issue has been patched in versions 4.0.3, 3.4.0, and 2.71.15.

It is possible to read the advisory at github.com. The identification of this vulnerability is CVE-2025-57770 since 08/19/2025. The exploitation is known to be easy. The attack may be initiated remotely. No form of authentication is needed for a successful exploitation. The technical details are unknown and an exploit is not publicly available. The attack technique deployed by this issue is T1592 according to MITRE ATT&CK.

Upgrading to version 2.71.15, 3.4.0 or 4.0.3 eliminates this vulnerability. The upgrade is hosted for download at github.com. Applying the patch 7abe759c95cb360524d88b51744d03cbb6e4dcdb is able to eliminate this problem. The bugfix is ready for download at github.com. The best possible mitigation is suggested to be upgrading to the latest version.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Productinfo

Name

• Zitadel

Version

• 2.71.0
• 2.71.1
• 2.71.2
• 2.71.3
• 2.71.4
• 2.71.5
• 2.71.6
• 2.71.7
• 2.71.8
• 2.71.9
• 2.71.10
• 2.71.11
• 2.71.12
• 2.71.13
• 2.71.14
• 3.0
• 3.1
• 3.2
• 3.3
• 4.0.0
• 4.0.1
• 4.0.2

License

• open-source

Website

• Product: https://github.com/zitadel/zitadel/

CPE 2.3info

• 🔒
• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒
• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Discussion