CVE-2025-67717

ZITADEL is an open-source identity infrastructure tool. Versions 2.44.0 through 3.4.4 and 4.0.0-rc.1 through 4.7.1 disclose the total number of instance users to authenticated users, regardless of their specific permissions. While this does not leak individual user data or PII, disclosing the total user count via the totalResult field constitutes an information disclosure vulnerability that may be sensitive in certain contexts. This issue is fixed in versions 3.4.5 and 4.7.2.

CVSS v3 4.3 MEDIUM

4.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/zitadel/zitadel/commit/826039c6208fe71df57b3a94c982b5ac5b0af12c	Patch
https://github.com/zitadel/zitadel/security/advisories/GHSA-f4cf-9rvr-2rcx	Patch Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:zitadel:zitadel::::::::
	cpe:2.3:a:zitadel:zitadel::::::::
	cpe:2.3:a:zitadel:zitadel::::::::

History

02 Feb 2026, 15:10

Type	Values Removed	Values Added
References	~~() https://github.com/zitadel/zitadel/commit/826039c6208fe71df57b3a94c982b5ac5b0af12c -~~	() https://github.com/zitadel/zitadel/commit/826039c6208fe71df57b3a94c982b5ac5b0af12c - Patch
References	~~() https://github.com/zitadel/zitadel/security/advisories/GHSA-f4cf-9rvr-2rcx -~~	() https://github.com/zitadel/zitadel/security/advisories/GHSA-f4cf-9rvr-2rcx - Patch, Vendor Advisory
First Time		Zitadel Zitadel zitadel
CPE		cpe:2.3:a:zitadel:zitadel::::::::
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 4.3

11 Dec 2025, 01:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-12-11 01:16

Updated : 2026-02-02 15:10

NVD link : CVE-2025-67717

Mitre link : CVE-2025-67717

CVE.ORG link : CVE-2025-67717

JSON object : View

Products Affected

zitadel

zitadel

CWE

CWE-497

Exposure of Sensitive System Information to an Unauthorized Control Sphere

{"id": "CVE-2025-67717", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 2.8}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-12-11T01:16:01.027", "references": [{"url": "https://github.com/zitadel/zitadel/commit/826039c6208fe71df57b3a94c982b5ac5b0af12c", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-f4cf-9rvr-2rcx", "tags": ["Patch", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-497"}]}], "descriptions": [{"lang": "en", "value": "ZITADEL is an open-source identity infrastructure tool. Versions 2.44.0 through 3.4.4 and 4.0.0-rc.1 through 4.7.1 disclose the total number of instance users to authenticated users, regardless of their specific permissions. While this does not leak individual user data or PII, disclosing the total user count via the totalResult field constitutes an information disclosure vulnerability that may be sensitive in certain contexts. This issue is fixed in versions 3.4.5 and 4.7.2."}], "lastModified": "2026-02-02T15:10:37.503", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1578A112-B6ED-4453-A4A8-93D034A980DB", "versionEndIncluding": "2.71.19", "versionStartIncluding": "2.44.0"}, {"criteria": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E455D450-9A02-47A4-AC6B-3A23B477A543", "versionEndExcluding": "3.4.5", "versionStartIncluding": "3.0.0"}, {"criteria": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FBFDBC95-1E62-4EFA-9D4A-ECCC074F112B", "versionEndExcluding": "4.7.2", "versionStartIncluding": "4.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}