CVE-2026-25050
Timing Attack in Vendure NativeAuthenticationStrategy Enables Username Enumeration
Publication date: 2026-01-30
Last updated on: 2026-02-26
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| vendure | vendure | to 3.5.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-202 | When trying to keep information confidential, an attacker can often infer some of the information by using statistics. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-25050 is a timing attack vulnerability in the NativeAuthenticationStrategy.authenticate() method of Vendure versions up to 3.5.2. The method returns immediately if a user is not found, resulting in a very fast response (~1-5ms), whereas if the user exists, it performs a bcrypt password check taking much longer (~200-400ms). This timing difference allows attackers to determine whether a username (email address) exists in the system by measuring response times, enabling user enumeration. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows attackers to enumerate valid usernames (email addresses) by exploiting timing differences during authentication. Such user enumeration can lead to increased risk of targeted attacks, potentially exposing personal data. While the vulnerability itself is rated low severity, it could impact compliance with data protection regulations like GDPR or HIPAA by facilitating unauthorized access attempts or phishing attacks that compromise user privacy and data security. Therefore, addressing this vulnerability helps maintain compliance by protecting user identity information from disclosure. [1, 2]
How can this vulnerability impact me? :
This vulnerability can allow attackers to reliably enumerate valid usernames (email addresses) in the system by measuring authentication response times. Knowing valid accounts can facilitate targeted brute-force attacks, phishing campaigns, or other malicious activities against those accounts. Although the severity is low, it discloses account existence information that could be leveraged in further attacks. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by measuring the response times of authentication attempts with different usernames (email addresses). Specifically, by sending login requests with both valid and invalid usernames and comparing the response times, an attacker can observe a significant timing difference (~200-400ms for valid users due to bcrypt verification vs ~1-5ms for invalid users). To detect this on your system, you can use tools like curl or custom scripts to automate login attempts and measure response times. For example, using curl with time measurement: `time curl -X POST -d '{"email":"[email protected]","password":"password"}' https://your-vendure-instance/api/auth/login` repeated for different emails and comparing the timings can reveal the timing discrepancy. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to upgrade Vendure to version 3.5.3 or later, where the issue has been fixed by ensuring that all authentication attempts take a consistent amount of time regardless of whether the user exists. This prevents attackers from distinguishing valid usernames based on response times. If upgrading immediately is not possible, implementing a dummy bcrypt password check for non-existent users to equalize response times can help mitigate the timing attack. [1, 2]