CVE-2025-31124

Name of the Vulnerable Software and Affected Versions Zitadel versions prior to 2.71.6 Zitadel versions prior to 2.70.8 Zitadel versions prior to 2.69.9 Zitadel versions prior to 2.68.9 Zitadel versions prior to 2.67.13 Zitadel versions prior to 2.66.16 Zitadel versions prior to 2.65.7 Zitadel versions prior to 2.64.6 Zitadel versions prior to 2.63.9

Description The issue concerns Zitadel, an open-source identity infrastructure software. A setting called "Ignoring unknown usernames" is intended to mitigate attacks that try to guess or enumerate usernames. However, due to a normalization process, the user's username existence could be disclosed, even when this setting is enabled. This occurs because the software shows the password prompt and reports "Username or Password invalid" for non-existent users, but the normalization of the username leads to the disclosure of the user's existence.

Recommendations Update to version 2.71.6 or later for the 2.71 branch. Update to version 2.70.8 or later for the 2.70 branch. Update to version 2.69.9 or later for the 2.69 branch. Update to version 2.68.9 or later for the 2.68 branch. Update to version 2.67.13 or later for the 2.67 branch. Update to version 2.66.16 or later for the 2.66 branch. Update to version 2.65.7 or later for the 2.65 branch. Update to version 2.64.6 or later for the 2.64 branch. Update to version 2.63.9 or later for the 2.63 branch.