Home

Description

ZITADEL is an open-source identity infrastructure tool. Versions 2.44.0 through 3.4.4 and 4.0.0-rc.1 through 4.7.1 disclose the total number of instance users to authenticated users, regardless of their specific permissions. While this does not leak individual user data or PII, disclosing the total user count via the totalResult field constitutes an information disclosure vulnerability that may be sensitive in certain contexts. This issue is fixed in versions 3.4.5 and 4.7.2.

PUBLISHED Reserved 2025-12-10 | Published 2025-12-11 | Updated 2025-12-11 | Assigner GitHub_M




MEDIUM: 5.3CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-497: Exposure of Sensitive System Information to an Unauthorized Control Sphere

Product status

< 1.80.0-v2.20.0.20251210
affected

>= 2.44.0, < 3.4.5
affected

>= 4.0.0-rc.1, < 4.7.2
affected

References

github.com/...itadel/security/advisories/GHSA-f4cf-9rvr-2rcx

github.com/...ommit/826039c6208fe71df57b3a94c982b5ac5b0af12c

cve.org (CVE-2025-67717)

nvd.nist.gov (CVE-2025-67717)

Download JSON