Moderate severityNVD Advisory· Published Dec 11, 2025· Updated Dec 11, 2025
Zitadel Discloses the Total Number of Instance Users
CVE-2025-67717
Description
ZITADEL is an open-source identity infrastructure tool. Versions 2.44.0 through 3.4.4 and 4.0.0-rc.1 through 4.7.1 disclose the total number of instance users to authenticated users, regardless of their specific permissions. While this does not leak individual user data or PII, disclosing the total user count via the totalResult field constitutes an information disclosure vulnerability that may be sensitive in certain contexts. This issue is fixed in versions 3.4.5 and 4.7.2.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/zitadel/zitadelGo | >= 4.0.0-rc.1, < 4.7.2 | 4.7.2 |
github.com/zitadel/zitadelGo | >= 2.44.0, < 3.4.5 | 3.4.5 |
github.com/zitadel/zitadelGo | < 1.80.0-v2.20.0.20251210121356-826039c6208f | 1.80.0-v2.20.0.20251210121356-826039c6208f |
Affected products
3- ghsa-coords2 versionspkg:golang/github.com/zitadel/zitadelpkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Leap%2015.6
>= 4.0.0-rc.1, < 4.7.2+ 1 more
- (no CPE)range: >= 4.0.0-rc.1, < 4.7.2
- (no CPE)range: < 0.0.20251230T014957-150000.1.134.1
Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-f4cf-9rvr-2rcxghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-67717ghsaADVISORY
- github.com/zitadel/zitadel/commit/826039c6208fe71df57b3a94c982b5ac5b0af12cghsax_refsource_MISCWEB
- github.com/zitadel/zitadel/security/advisories/GHSA-f4cf-9rvr-2rcxghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.