CVE-2026-25222
Timing Attack in PolarLearn Sign-In Enables User Enumeration
Publication date: 2026-02-02
Last updated on: 2026-02-20
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| polarlearn | polarlearn | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a timing attack in the sign-in process of PolarLearn (version 0-PRERELEASE-15 and earlier). An unauthenticated attacker can measure the response time of the login endpoint to determine if a specific email address is registered on the platform. This happens because the server only performs the computationally expensive Argon2 password hashing if the user exists, causing requests for existing users to take significantly longer (~650ms) than for non-existent users (~160ms).
How can this vulnerability impact me? :
This vulnerability can allow attackers to enumerate valid email addresses registered on the PolarLearn platform without authentication. This could lead to targeted phishing attacks, privacy breaches, or further attempts to compromise user accounts.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by measuring the response times of the login endpoint for different email addresses. Specifically, by sending login requests with various email addresses and observing the response times, you can distinguish between valid and invalid users. Valid users cause the server to perform Argon2 password hashing, resulting in longer response times (~650ms), while invalid users result in shorter response times (~160ms). Commands to detect this could involve using tools like curl or wget in a script to send login requests and measure response times, for example using curl with the --write-out option to capture timing information.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include implementing constant-time responses for the login endpoint regardless of whether the user exists or not, to prevent timing differences that reveal user existence. Another approach is to add artificial delays to responses for invalid users to match the response time of valid users. Additionally, monitoring and rate limiting login attempts can help reduce the risk of exploitation.