Information Disclosure Vulnerability in ZITADEL Identity Infrastructure Tool
CVE-2025-67717

5.3MEDIUM

Key Information:

Vendor: Zitadel
Status: Zitadel
Vendor: CVE Published:; 11 December 2025

What is CVE-2025-67717?

An information disclosure vulnerability exists in the ZITADEL Identity Infrastructure Tool due to a flaw in handling user instance data. This vulnerability may allow authenticated users to view the total number of users in the system through the totalResult field, which could be sensitive in specific contexts. Although individual user information is not exposed, it still poses a risk to the information security posture of the affected systems. Users are encouraged to upgrade to versions 3.4.5 or 4.7.2 to mitigate this risk.

Affected Version(s)

zitadel < 1.80.0-v2.20.0.20251210 < 1.80.0-v2.20.0.20251210

zitadel >= 2.44.0, < 3.4.5 < 2.44.0, 3.4.5

zitadel >= 4.0.0-rc.1, < 4.7.2 < 4.0.0-rc.1, 4.7.2

References

https://github.com/zitadel/zitadel/security/advisories/GH...

x_refsource_CONFIRM

https://github.com/zitadel/zitadel/commit/826039c6208fe71...

x_refsource_MISC

CVSS V4

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 11, 2025
Vulnerability Reserved
Dec 10, 2025

JSON

Zitadel

What is CVE-2025-67717?

Affected Version(s)

References

CVSS V4

Timeline