Executive Summary

CVE-2026-25050 is a timing attack vulnerability in the NativeAuthenticationStrategy.authenticate() method of Vendure versions up to 3.5.2. The method returns immediately if a user is not found, resulting in a very fast response (~1-5ms), whereas if the user exists, it performs a bcrypt password check taking much longer (~200-400ms). This timing difference allows attackers to determine whether a username (email address) exists in the system by measuring response times, enabling user enumeration. [1]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow attackers to reliably enumerate valid usernames (email addresses) in the system by measuring authentication response times. Knowing valid accounts can facilitate targeted brute-force attacks, phishing campaigns, or other malicious activities against those accounts. Although the severity is low, it discloses account existence information that could be leveraged in further attacks. [1]

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by measuring the response times of authentication attempts with different usernames (email addresses). Specifically, by sending login requests with both valid and invalid usernames and comparing the response times, an attacker can observe a significant timing difference (~200-400ms for valid users due to bcrypt verification vs ~1-5ms for invalid users). To detect this on your system, you can use tools like curl or custom scripts to automate login attempts and measure response times. For example, using curl with time measurement: `time curl -X POST -d '{"email":"[email protected]","password":"password"}' https://your-vendure-instance/api/auth/login` repeated for different emails and comparing the timings can reveal the timing discrepancy. [1]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate step to mitigate this vulnerability is to upgrade Vendure to version 3.5.3 or later, where the issue has been fixed by ensuring that all authentication attempts take a consistent amount of time regardless of whether the user exists. This prevents attackers from distinguishing valid usernames based on response times. If upgrading immediately is not possible, implementing a dummy bcrypt password check for non-existent users to equalize response times can help mitigate the timing attack. [1, 2]

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows attackers to enumerate valid usernames (email addresses) by exploiting timing differences during authentication. Such user enumeration can lead to increased risk of targeted attacks, potentially exposing personal data. While the vulnerability itself is rated low severity, it could impact compliance with data protection regulations like GDPR or HIPAA by facilitating unauthorized access attempts or phishing attacks that compromise user privacy and data security. Therefore, addressing this vulnerability helps maintain compliance by protecting user identity information from disclosure. [1, 2]

Useful 0 Not Useful 0