CVE-2025-57770 Overview
CVE-2025-57770 is a username enumeration vulnerability in Zitadel, an open-source identity infrastructure platform. The flaw affects versions 4.0.0 to 4.0.2, 3.0.0 to 3.3.6, and all versions prior to 2.71.15. Zitadel provides a security feature called Ignoring unknown usernames that returns a generic response for both valid and invalid usernames to prevent enumeration. An unauthenticated attacker can bypass this protection by submitting arbitrary userIDs to the select account page. The server's response reveals whether the account exists, enabling systematic enumeration of valid users. The issue is tracked under [CWE-203] (Observable Discrepancy).
Critical Impact
An unauthenticated remote attacker can enumerate valid Zitadel user accounts by iterating through userIDs against the login select account page, defeating the anti-enumeration control designed to prevent this exposure.
Affected Products
- Zitadel versions 4.0.0 through 4.0.2
- Zitadel versions 3.0.0 through 3.3.6
- Zitadel all versions prior to 2.71.15
Discovery Timeline
- 2025-08-22 - CVE-2025-57770 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-57770
Vulnerability Analysis
Zitadel's login user interface implements the Ignoring unknown usernames feature to defeat account enumeration. When enabled, the login form returns identical responses regardless of whether a submitted username exists. This design forces attackers to complete authentication attempts before learning whether an account is valid.
The select account page does not honor this protection. When a client submits a userID to that endpoint, the application responds differently based on whether the ID maps to an existing account. An unauthenticated attacker can observe this discrepancy and classify each userID as valid or invalid.
The impact is limited to confidentiality of user identifiers. However, the enumerated accounts can seed downstream attacks such as password spraying, credential stuffing, and targeted phishing against confirmed identities.
Root Cause
The SelectUser call chain in the login handlers did not enforce the ignore-unknown-usernames policy. The patch adds a new boolean parameter to SelectUser so callers can suppress account existence disclosure. Both internal/api/ui/login/external_provider_handler.go and internal/api/ui/login/register_handler.go now pass false to align select-account behavior with the anti-enumeration guarantee provided elsewhere in the login flow.
Attack Vector
Exploitation requires only network access to the Zitadel login endpoint. No authentication or user interaction is needed. An attacker iterates through candidate userIDs, sending each to the select account page and comparing responses. Successful enumeration produces a list of valid identifiers that can be used to focus further attacks. Rate limiting and quota controls constrain the throughput of enumeration attempts.
// Patch: internal/api/ui/login/external_provider_handler.go
func (l *Login) autoLinkUser(r *http.Request, authReq *domain.AuthRequest, user *query.NotifyUser) error {
- if err := l.authRepo.SelectUser(r.Context(), authReq.ID, user.ID, authReq.AgentID); err != nil {
+ if err := l.authRepo.SelectUser(r.Context(), authReq.ID, user.ID, authReq.AgentID, false); err != nil {
return err
}
if err := l.authRepo.LinkExternalUsers(r.Context(), authReq.ID, authReq.AgentID, domain.BrowserInfoFromRequest(r)); err != nil {
Source: Zitadel commit 7abe759c
Detection Methods for CVE-2025-57770
Indicators of Compromise
- High volumes of requests to the Zitadel select account page originating from a small number of source IPs.
- Sequential or dictionary-style userID submissions with a low ratio of successful authentications.
- Repeated failed selections followed by targeted authentication attempts against a subset of confirmed userIDs.
Detection Strategies
- Correlate Zitadel login access logs to identify clients issuing many select-account requests with distinct userID values.
- Alert when a single source generates response-code or response-size distributions that indicate probing behavior.
- Baseline normal select-account traffic per tenant and flag statistical deviations that resemble enumeration.
Monitoring Recommendations
- Ship Zitadel application logs and reverse-proxy access logs to a centralized analytics platform for retention and correlation.
- Monitor rate-limit and quota events documented in the Zitadel Limits and Quotas guide.
- Track authentication success rates per source IP to surface post-enumeration credential-stuffing attempts.
How to Mitigate CVE-2025-57770
Immediate Actions Required
- Upgrade Zitadel to version 4.0.3, 3.4.0, or 2.71.15, matching the branch currently in production.
- Enable rate limiting on the login and select-account endpoints to constrain enumeration throughput.
- Review recent access logs for signs of userID iteration and rotate any exposed identifiers where feasible.
Patch Information
The vendor released fixed builds in Zitadel v4.0.3, Zitadel v3.4.0, and Zitadel v2.71.15. Technical remediation details are provided in GitHub Security Advisory GHSA-g9c3-xh6v-fr86. The fix adds an additional parameter to SelectUser so login handlers enforce the ignore-unknown-usernames policy on the select-account path.
Workarounds
- Configure Zitadel quotas and rate limits per the Zitadel production guidance to slow enumeration.
- Restrict access to the login UI to trusted networks where the deployment model permits.
- Deploy a Web Application Firewall rule that throttles or blocks high-frequency select-account requests from a single source.
# Upgrade example using Helm to a patched Zitadel release
helm repo update
helm upgrade zitadel zitadel/zitadel \
--namespace zitadel \
--version 4.0.3
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

