Username Enumeration Vulnerability in Zitadel Identity Infrastructure Software
CVE-2025-57770

5.3MEDIUM

Key Information:

Vendor

Zitadel

Status
Zitadel
Vendor
CVE Published:
22 August 2025

What is CVE-2025-57770?

The Zitadel identity infrastructure software has been identified with a username enumeration vulnerability in its login interface across multiple versions. This issue allows unauthenticated attackers to exploit the login UI feature that is designed to obscure responses between valid and invalid usernames. By submitting arbitrary userIDs, attackers can differentiate between valid and invalid accounts based on system responses. While effective exploitation requires iterating through potential usernames, implementing rate limiting could mitigate the potential impact. This vulnerability has been addressed in subsequent versions, ensuring enhanced security against such enumeration attempts.

Affected Version(s)

zitadel < 2.71.15 < 2.71.15

zitadel >= 3.0.0, < 3.4.0 < 3.0.0, 3.4.0

zitadel >= 4.0.0, < 4.0.3 < 4.0.0, 4.0.3

References

https://github.com/zitadel/zitadel/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/zitadel/zitadel/commit/7abe759c95cb360...
x_refsource_MISC
https://github.com/zitadel/zitadel/releases/tag/v2.71.15
x_refsource_MISC

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2025-57770 : Username Enumeration Vulnerability in Zitadel Identity Infrastructure Software