CVE-2025-57770

Name of the Vulnerable Software and Affected Versions: Zitadel versions 4.0.0 through 4.0.2 Zitadel versions 3.0.0 through 3.3.6 Zitadel versions prior to 2.71.15

Description: Zitadel allows administrators to disable user self-registration. A username enumeration issue exists in the login interface due to a bypass of the 'Ignoring unknown usernames' security feature. An unauthenticated attacker can submit arbitrary userIDs to the select account page and differentiate between valid and invalid accounts based on the system's response. Exploitation involves iterating through possible userIDs, but rate limiting can mitigate the impact.

Recommendations: Update to Zitadel version 4.0.3 or later. Update to Zitadel version 3.4.0 or later. Update to Zitadel version 2.71.15 or later.