CVE-2025-31124
📋 TL;DR
ZITADEL's 'Ignoring unknown usernames' setting fails to properly hide user existence due to username normalization, allowing attackers to determine if specific usernames exist in the system. This affects ZITADEL administrators who have enabled this setting to prevent username enumeration. The vulnerability exposes user existence information that should remain hidden.
💻 Affected Systems
- ZITADEL
📦 What is this software?
Zitadel by Zitadel
Zitadel by Zitadel
Zitadel by Zitadel
Zitadel by Zitadel
Zitadel by Zitadel
Zitadel by Zitadel
Zitadel by Zitadel
Zitadel by Zitadel
Zitadel by Zitadel
⚠️ Risk & Real-World Impact
Worst Case
Attackers can enumerate valid usernames, enabling targeted credential stuffing or social engineering attacks against known users.
Likely Case
Username enumeration leading to targeted password attacks against identified users.
If Mitigated
Limited information disclosure with no direct authentication bypass or data access.
🎯 Exploit Status
Exploitation requires sending authentication requests and observing differences in username normalization behavior
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.71.6, 2.70.8, 2.69.9, 2.68.9, 2.67.13, 2.66.16, 2.65.7, 2.64.6, or 2.63.9
Vendor Advisory: https://github.com/zitadel/zitadel/commit/14de8ecac2afafee4975ed7ac26f3ca4a2b0f82c
Restart Required: Yes
Instructions:
1. Identify current ZITADEL version. 2. Upgrade to patched version matching your release branch. 3. Restart ZITADEL services. 4. Verify fix by testing username enumeration.
🔧 Temporary Workarounds
Disable 'Ignoring unknown usernames' setting
allTemporarily disable the vulnerable feature to prevent username enumeration
zitadel management set-login-policy --ignore-unknown-usernames false
🧯 If You Can't Patch
- Disable 'Ignoring unknown usernames' setting to prevent exploitation
- Implement rate limiting on authentication endpoints to reduce enumeration effectiveness
🔍 How to Verify
Check if Vulnerable:
Test authentication with known and unknown usernames while 'Ignoring unknown usernames' is enabled, looking for differences in username normalization behaviorCheck Version:
zitadel versionVerify Fix Applied:
After patching, verify that username normalization no longer leaks user existence information📡 Detection & Monitoring
Log Indicators:
- Multiple failed authentication attempts with similar username variations
- Unusual patterns of authentication requests
Network Indicators:
- High volume of authentication requests to ZITADEL endpoints
- Requests with systematically varied usernames
SIEM Query:
source="zitadel" AND (event="authentication_failed" OR event="login_attempt") | stats count by username | where count > threshold🔗 References
- https://github.com/zitadel/zitadel/commit/14de8ecac2afafee4975ed7ac26f3ca4a2b0f82c
- https://github.com/zitadel/zitadel/releases/tag/v2.63.9
- https://github.com/zitadel/zitadel/releases/tag/v2.64.6
- https://github.com/zitadel/zitadel/releases/tag/v2.65.7
- https://github.com/zitadel/zitadel/releases/tag/v2.66.16
- https://github.com/zitadel/zitadel/releases/tag/v2.67.13
- https://github.com/zitadel/zitadel/releases/tag/v2.68.9
- https://github.com/zitadel/zitadel/releases/tag/v2.69.9
- https://github.com/zitadel/zitadel/releases/tag/v2.70.8
- https://github.com/zitadel/zitadel/releases/tag/v2.71.6
- https://github.com/zitadel/zitadel/security/advisories/GHSA-67m4-8g4w-633q
