CVE-2025-31124

Zitadel is open-source identity infrastructure software. ZITADEL administrators can enable a setting called "Ignoring unknown usernames" which helps mitigate attacks that try to guess/enumerate usernames. If enabled, ZITADEL will show the password prompt even if the user doesn't exist and report "Username or Password invalid". While the setting was correctly respected during the login flow, the user's username was normalized leading to a disclosure of the user's existence. This vulnerability is fixed in 2.71.6, 2.70.8, 2.69.9, 2.68.9, 2.67.13, 2.66.16, 2.65.7, 2.64.6, and 2.63.9.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/zitadel/zitadel/commit/14de8ecac2afafee4975ed7ac26f3ca4a2b0f82c
https://github.com/zitadel/zitadel/releases/tag/v2.63.9
https://github.com/zitadel/zitadel/releases/tag/v2.64.6
https://github.com/zitadel/zitadel/releases/tag/v2.65.7
https://github.com/zitadel/zitadel/releases/tag/v2.66.16
https://github.com/zitadel/zitadel/releases/tag/v2.67.13
https://github.com/zitadel/zitadel/releases/tag/v2.68.9
https://github.com/zitadel/zitadel/releases/tag/v2.69.9
https://github.com/zitadel/zitadel/releases/tag/v2.70.8
https://github.com/zitadel/zitadel/releases/tag/v2.71.6
https://github.com/zitadel/zitadel/security/advisories/GHSA-67m4-8g4w-633q

Configurations

No configuration.

History

31 Mar 2025, 20:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-03-31 20:15

Updated : 2025-04-01 20:26

NVD link : CVE-2025-31124

Mitre link : CVE-2025-31124

CVE.ORG link : CVE-2025-31124

JSON object : View

Products Affected

No product.

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

CWE-203

Observable Discrepancy

CWE-204

Observable Response Discrepancy

{"id": "CVE-2025-31124", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2025-03-31T20:15:15.707", "references": [{"url": "https://github.com/zitadel/zitadel/commit/14de8ecac2afafee4975ed7ac26f3ca4a2b0f82c", "source": "security-advisories@github.com"}, {"url": "https://github.com/zitadel/zitadel/releases/tag/v2.63.9", "source": "security-advisories@github.com"}, {"url": "https://github.com/zitadel/zitadel/releases/tag/v2.64.6", "source": "security-advisories@github.com"}, {"url": "https://github.com/zitadel/zitadel/releases/tag/v2.65.7", "source": "security-advisories@github.com"}, {"url": "https://github.com/zitadel/zitadel/releases/tag/v2.66.16", "source": "security-advisories@github.com"}, {"url": "https://github.com/zitadel/zitadel/releases/tag/v2.67.13", "source": "security-advisories@github.com"}, {"url": "https://github.com/zitadel/zitadel/releases/tag/v2.68.9", "source": "security-advisories@github.com"}, {"url": "https://github.com/zitadel/zitadel/releases/tag/v2.69.9", "source": "security-advisories@github.com"}, {"url": "https://github.com/zitadel/zitadel/releases/tag/v2.70.8", "source": "security-advisories@github.com"}, {"url": "https://github.com/zitadel/zitadel/releases/tag/v2.71.6", "source": "security-advisories@github.com"}, {"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-67m4-8g4w-633q", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-200"}, {"lang": "en", "value": "CWE-203"}, {"lang": "en", "value": "CWE-204"}]}], "descriptions": [{"lang": "en", "value": "Zitadel is open-source identity infrastructure software. ZITADEL administrators can enable a setting called \"Ignoring unknown usernames\" which helps mitigate attacks that try to guess/enumerate usernames. If enabled, ZITADEL will show the password prompt even if the user doesn't exist and report \"Username or Password invalid\". While the setting was correctly respected during the login flow, the user's username was normalized leading to a disclosure of the user's existence. This vulnerability is fixed in 2.71.6, 2.70.8, 2.69.9, 2.68.9, 2.67.13, 2.66.16, 2.65.7, 2.64.6, and 2.63.9."}], "lastModified": "2025-04-01T20:26:22.890", "sourceIdentifier": "security-advisories@github.com"}