CVE-2025-57770: 
Chainguard vulnerability analysis and mitigation

CVE-2025-57770 affects the open-source identity infrastructure software Zitadel, specifically versions 4.0.0 to 4.0.2, 3.0.0 to 3.3.6, and all versions prior to 2.71.15. The vulnerability was discovered and disclosed on August 22, 2025, allowing username enumeration in the login interface despite having a security feature intended to prevent such attacks (GitHub Advisory).

The vulnerability exists in Zitadel's login UI, which includes a security feature called 'Ignoring unknown usernames' designed to prevent username enumeration by returning generic responses for both valid and invalid usernames. However, an unauthenticated attacker can bypass this protection by submitting arbitrary userIDs to the select account page and distinguishing between valid and invalid accounts based on the system's response. The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N (GitHub Advisory).

The vulnerability allows attackers to enumerate valid usernames in the system by iterating through possible userIDs. This information disclosure could be used as a stepping stone for further attacks, such as targeted brute force attempts or social engineering campaigns. The impact can be limited by implementing rate limiting or similar measures to restrict the enumeration of userIDs (GitHub Advisory).

The vulnerability has been patched in versions 4.0.3, 3.4.0, and 2.71.15. The fix prevents the use of any userID on the selection page that has not been previously authenticated in the same user agent (browser). Organizations are recommended to upgrade to these patched versions. As a workaround, implementing rate limiting or similar measures can help limit the impact of enumeration attempts (GitHub Advisory).