CVE-2025-67717
📋 TL;DR
ZITADEL versions 2.44.0 through 3.4.4 and 4.0.0-rc.1 through 4.7.1 disclose the total number of instance users to authenticated users regardless of their permissions. This information disclosure vulnerability could reveal sensitive organizational metrics about user base size. All ZITADEL deployments using affected versions are impacted.
💻 Affected Systems
- ZITADEL
📦 What is this software?
Zitadel by Zitadel
Zitadel by Zitadel
Zitadel by Zitadel
⚠️ Risk & Real-World Impact
Worst Case
Attackers could use user count data for reconnaissance, competitive intelligence gathering, or to estimate organizational size for targeted attacks.
Likely Case
Authenticated users (including low-privileged ones) can access metrics about total user counts that should be restricted.
If Mitigated
With proper access controls, only authorized administrators can view user count statistics.
🎯 Exploit Status
Exploitation requires authenticated access but no special permissions. The vulnerability is in the API response structure.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.4.5 and 4.7.2
Vendor Advisory: https://github.com/zitadel/zitadel/security/advisories/GHSA-f4cf-9rvr-2rcx
Restart Required: Yes
Instructions:
1. Backup your ZITADEL configuration and data. 2. Upgrade to ZITADEL 3.4.5 if using v3.x, or 4.7.2 if using v4.x. 3. Restart the ZITADEL service. 4. Verify the fix by checking that authenticated users without proper permissions can no longer access total user counts.
🔧 Temporary Workarounds
API Gateway Filtering
allConfigure API gateway or reverse proxy to filter out totalResult field from responses to unauthorized users
Access Control Enhancement
allImplement additional authentication middleware to restrict access to user statistics endpoints
🧯 If You Can't Patch
- Implement network segmentation to restrict access to ZITADEL API endpoints from unauthorized users
- Monitor and audit access to user statistics endpoints for suspicious patterns
🔍 How to Verify
Check if Vulnerable:
Authenticate to ZITADEL with a low-privilege account and query user-related endpoints to see if totalResult field is returned.Check Version:
zitadel version (or check ZITADEL admin interface for version information)Verify Fix Applied:
After patching, verify that low-privilege authenticated users cannot access total user count information via API responses.📡 Detection & Monitoring
Log Indicators:
- Multiple requests to user statistics endpoints from non-admin accounts
- Unusual pattern of user count queries
Network Indicators:
- API requests to /users or similar endpoints with responses containing totalResult field
SIEM Query:
source="zitadel" AND (endpoint="/api/v1/users" OR endpoint="/users") AND user_role!="admin" AND response_contains="totalResult"