CVE-2026-25050
Unknown Unknown - Not Provided

Timing Attack in Vendure NativeAuthenticationStrategy Enables Username Enumeration

Vulnerability report for CVE-2026-25050, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-01-30

Last updated on: 2026-02-26

Assigner: GitHub, Inc.

Description

Vendure is an open-source headless commerce platform. Prior to version 3.5.3, the `NativeAuthenticationStrategy.authenticate()` method is vulnerable to a timing attack that allows attackers to enumerate valid usernames (email addresses). In `packages/core/src/config/auth/native-authentication-strategy.ts`, the authenticate method returns immediately if a user is not found. The significant timing difference (~200-400ms for bcrypt vs ~1-5ms for DB miss) allows attackers to reliably distinguish between existing and non-existing accounts. Version 3.5.3 fixes the issue.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-01-30
Last Modified
2026-02-26
Generated
2026-07-06
AI Q&A
2026-01-30
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
vendure vendure to 3.5.3 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-202 When trying to keep information confidential, an attacker can often infer some of the information by using statistics.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-25050 is a timing attack vulnerability in the NativeAuthenticationStrategy.authenticate() method of Vendure versions up to 3.5.2. The method returns immediately if a user is not found, resulting in a very fast response (~1-5ms), whereas if the user exists, it performs a bcrypt password check taking much longer (~200-400ms). This timing difference allows attackers to determine whether a username (email address) exists in the system by measuring response times, enabling user enumeration. [1]

Impact Analysis

This vulnerability can allow attackers to reliably enumerate valid usernames (email addresses) in the system by measuring authentication response times. Knowing valid accounts can facilitate targeted brute-force attacks, phishing campaigns, or other malicious activities against those accounts. Although the severity is low, it discloses account existence information that could be leveraged in further attacks. [1]

Detection Guidance

This vulnerability can be detected by measuring the response times of authentication attempts with different usernames (email addresses). Specifically, by sending login requests with both valid and invalid usernames and comparing the response times, an attacker can observe a significant timing difference (~200-400ms for valid users due to bcrypt verification vs ~1-5ms for invalid users). To detect this on your system, you can use tools like curl or custom scripts to automate login attempts and measure response times. For example, using curl with time measurement: `time curl -X POST -d '{"email":"[email protected]","password":"password"}' https://your-vendure-instance/api/auth/login` repeated for different emails and comparing the timings can reveal the timing discrepancy. [1]

Mitigation Strategies

The immediate step to mitigate this vulnerability is to upgrade Vendure to version 3.5.3 or later, where the issue has been fixed by ensuring that all authentication attempts take a consistent amount of time regardless of whether the user exists. This prevents attackers from distinguishing valid usernames based on response times. If upgrading immediately is not possible, implementing a dummy bcrypt password check for non-existent users to equalize response times can help mitigate the timing attack. [1, 2]

Compliance Impact

This vulnerability allows attackers to enumerate valid usernames (email addresses) by exploiting timing differences during authentication. Such user enumeration can lead to increased risk of targeted attacks, potentially exposing personal data. While the vulnerability itself is rated low severity, it could impact compliance with data protection regulations like GDPR or HIPAA by facilitating unauthorized access attempts or phishing attacks that compromise user privacy and data security. Therefore, addressing this vulnerability helps maintain compliance by protecting user identity information from disclosure. [1, 2]

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25050. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart