{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-23T20:22:54.546","vulnerabilities":[{"cve":{"id":"CVE-2025-57770","sourceIdentifier":"security-advisories@github.com","published":"2025-08-22T17:15:35.997","lastModified":"2025-08-27T19:12:57.573","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"The open-source identity infrastructure software Zitadel allows administrators to disable the user self-registration. Versions 4.0.0 to 4.0.2, 3.0.0 to 3.3.6, and all versions prior to 2.71.15 are vulnerable to a username enumeration issue in the login interface. The login UI includes a security feature, Ignoring unknown usernames, that is intended to prevent username enumeration by returning a generic response for both valid and invalid usernames. This vulnerability allows an unauthenticated attacker to bypass this protection by submitting arbitrary userIDs to the select account page and distinguishing between valid and invalid accounts based on the system's response. For effective exploitation, an attacker needs to iterate through possible userIDs, but the impact can be limited by implementing rate limiting or similar measures. The issue has been patched in versions 4.0.3, 3.4.0, and 2.71.15."},{"lang":"es","value":"El software de infraestructura de identidad de código abierto Zitadel permite a los administradores desactivar el autorregistro de usuarios. Las versiones 4.0.0 a 4.0.2, 3.0.0 a 3.3.6 y todas las versiones anteriores a la 2.71.15 son vulnerables a un problema de enumeración de nombres de usuario en la interfaz de inicio de sesión. Esta interfaz incluye una función de seguridad, Ignorar nombres de usuario desconocidos, que impide la enumeración de nombres de usuario devolviendo una respuesta genérica tanto para nombres de usuario válidos como no válidos. Esta vulnerabilidad permite a un atacante no autenticado eludir esta protección enviando ID de usuario arbitrarios a la página de selección de cuenta y distinguiendo entre cuentas válidas e inválidas según la respuesta del sistema. Para una explotación eficaz, un atacante debe iterar entre los posibles ID de usuario, pero el impacto puede limitarse implementando una limitación de velocidad o medidas similares. El problema se ha corregido en las versiones 4.0.3, 3.4.0 y 2.71.15."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","baseScore":5.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":1.4}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-203"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*","versionEndExcluding":"2.71.15","matchCriteriaId":"E5A53891-3BA9-4CEB-82AC-B9F39CD1A02E"},{"vulnerable":true,"criteria":"cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.0.0","versionEndExcluding":"3.4.0","matchCriteriaId":"3D35DEF8-57A6-4ECF-9737-7604002DEE70"},{"vulnerable":true,"criteria":"cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.0.0","versionEndExcluding":"4.0.3","matchCriteriaId":"B15FCB28-4B32-45DA-9566-2F774895CF1F"}]}]}],"references":[{"url":"https://github.com/zitadel/zitadel/commit/7abe759c95cb360524d88b51744d03cbb6e4dcdb","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/zitadel/zitadel/releases/tag/v2.71.15","source":"security-advisories@github.com","tags":["Release Notes"]},{"url":"https://github.com/zitadel/zitadel/releases/tag/v3.4.0","source":"security-advisories@github.com","tags":["Release Notes"]},{"url":"https://github.com/zitadel/zitadel/releases/tag/v4.0.3","source":"security-advisories@github.com","tags":["Release Notes"]},{"url":"https://github.com/zitadel/zitadel/security/advisories/GHSA-g9c3-xh6v-fr86","source":"security-advisories@github.com","tags":["Vendor Advisory"]},{"url":"https://zitadel.com/docs/self-hosting/manage/production#limits-and-quotas","source":"security-advisories@github.com","tags":["Product"]}]}}]}