{"id":"CVE-2025-58442","summary":"Saleor has user enumeration vulnerability due to different error messages","details":"Saleor is an e-commerce platform. Starting in version 3.21.0 and prior to version 3.21.16, requesting certain fields in the response of `accountRegister` may result in errors that could unintentionally reveal whether a user with the provided email already exists in Saleor. Version 3.21.16 fixes the issue. As a workaround, rate-limit the mutation to reduce the impact.","aliases":["GHSA-8w67-mfm5-fwx5"],"modified":"2026-04-10T05:32:56.343934Z","published":"2025-09-09T19:46:45.798Z","database_specific":{"cwe_ids":["CWE-204"],"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/58xxx/CVE-2025-58442.json"},"references":[{"type":"WEB","url":"https://github.com/saleor/saleor/releases/tag/3.21.16"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/58xxx/CVE-2025-58442.json"},{"type":"ADVISORY","url":"https://github.com/saleor/saleor/security/advisories/GHSA-8w67-mfm5-fwx5"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-58442"},{"type":"FIX","url":"https://github.com/saleor/saleor/commit/09d671e91ea53a44352d5f685083dc05a2f55e95"},{"type":"FIX","url":"https://github.com/saleor/saleor/commit/b35783838e51cfc118e07d632f64b01bc3a2c4bb"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/saleor/saleor","events":[{"introduced":"0"},{"fixed":"09d671e91ea53a44352d5f685083dc05a2f55e95"}]},{"type":"GIT","repo":"https://github.com/saleor/saleor","events":[{"introduced":"0"},{"fixed":"b35783838e51cfc118e07d632f64b01bc3a2c4bb"}]},{"type":"GIT","repo":"https://github.com/saleor/saleor","events":[{"introduced":"0"},{"fixed":"09d671e91ea53a44352d5f685083dc05a2f55e95"}]}],"versions":["2.0.0","2.1.0","2.10.0","2.10.0-rc.1","2.10.0-rc.2","2.2.0","2.3.0","2.4.0","2.5.0","2.6.0","2.7.0","2.8.0","2.9.0","3.0.0-a.0","3.11.0-a.0","3.12.0-a.0","3.13.0-a.0","3.14.67","3.14.84","3.15.0-a.0","3.15.41","3.16.0-a.0","3.16.42","3.17.0-a.0","3.17.69","3.18.0-a.0","3.19.0-a.0","3.2.0","3.21.0","3.21.0-a.0","3.21.0-a.4","3.21.0-a.5","3.21.0-a.6","3.21.1","3.21.10","3.21.11","3.21.12","3.21.13","3.21.14","3.21.15","3.21.2","3.21.3","3.21.4","3.21.5","3.21.6","3.21.7","3.21.8","3.21.9","v2016.07.0","v2017.02.0","v2017.02.1","v2017.03.0","v2017.03.1","v2017.03.2","v2017.03.3","v2017.03.4","v2017.07.0","v2017.09","v2017.10","v2017.11","v2017.12","v2017.12.1","v2018.01","v2018.02","v2018.03","v2018.04","v2018.05","v2018.06","v2018.08","v2018.09"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-58442.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}]}