Exposure of Sensitive System Information to an Unauthorized Control Sphere in github.com/zitadel/zitadel/internal/query | CVE-2025-67717

Q: How to fix?

Upgrade github.com/zitadel/zitadel/internal/query to version 3.4.5, 4.7.2 or higher.

Threat Intelligence

Proof of Concept

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk IDSNYK-GOLANG-GITHUBCOMZITADELZITADELINTERNALQUERY-14400981
published12 Dec 2025
disclosed11 Dec 2025
creditMartin Tschirsich, Joud Zakharia, Christopher Baumann

Report a new vulnerability Found a mistake?

Introduced: 11 Dec 2025

NewCVE-2025-67717 (opens in a new tab) CWE-497 (opens in a new tab)

How to fix?

Upgrade github.com/zitadel/zitadel/internal/query to version 3.4.5, 4.7.2 or higher.

Overview

Affected versions of this package are vulnerable to Exposure of Sensitive System Information to an Unauthorized Control Sphere via the totalResult field. An attacker can gain access to the total number of instance users by querying this field, even without specific permissions.

##Workaround

For the user that can not upgrade to the fixed version it is recommended to enable the permissionCheckV2 feature on their instance.

References

GitHub Commit

CVSS Base Scores

version 4.0

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
Low
Attack Requirements (AT)
None
Privileges Required (PR)
Low
User Interaction (UI)
None

Confidentiality (VC)
Low
Integrity (VI)
None
Availability (VA)
None

Confidentiality (SC)
None
Integrity (SI)
None
Availability (SA)
None

Exposure of Sensitive System Information to an Unauthorized Control Sphere Affecting github.com/zitadel/zitadel/internal/query package, versions >=2.44.0 <3.4.5>=4.0.0-rc.1 <4.7.2

Severity