VDB
CVE-2025-67717
CVE-2025-67717
PUBLISHED
CVSS 5.300000190734863 MEDIUM
ZITADEL is an open-source identity infrastructure tool. Versions 2.44.0 through 3.4.4 and 4.0.0-rc.1 through 4.7.1 disclose the total number of instance users to authenticated users, regardless of their specific permissions. While this does not leak individual user data or PII, disclosing the total user count via the totalResult field constitutes an information disclosure vulnerability that may be sensitive in certain contexts. This issue is fixed in versions 3.4.5 and 4.7.2.
EPSS 0.04% · 11.1th percentile
Risk Scores
CVSS v4.0
5.300000190734863
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
EPSS Score
0.04%
11.1th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| github.com | zitadel/zitadel | 4.0.0-rc.1, 2.44.0, 0 |
| zitadel | zitadel | >= 2.44.0, < 3.4.5, >= 4.0.0-rc.1, < 4.7.2, 2.44.0 |
Timeline
- Dec 10, 2025 CVE Published
- Dec 11, 2025 EPSS Score
- Dec 11, 2025 PoC Published
- Dec 15, 2025 EPSS Score
- Dec 19, 2025 EPSS Score
- Dec 23, 2025 EPSS Score
- Dec 27, 2025 EPSS Score
- Jan 1, 2026 EPSS Score
- Jan 5, 2026 EPSS Score
- Jan 9, 2026 EPSS Score
- Jan 13, 2026 EPSS Score
- Jan 17, 2026 EPSS Score