CVE-2026-25597
Time-Based User Enumeration in PrestaShop Authentication
Publication date: 2026-02-06
Last updated on: 2026-02-19
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| prestashop | prestashop | to 8.2.4 (exc) |
| prestashop | prestashop | From 9.0.0 (inc) to 9.0.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-208 | Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-25597 is a time-based user enumeration vulnerability in PrestaShop's user authentication functionality prior to versions 8.2.4 and 9.0.3."}, {'type': 'paragraph', 'content': 'This vulnerability allows an attacker to determine whether a customer account exists by measuring differences in response times during the login process.'}, {'type': 'paragraph', 'content': 'The flaw exists in the front office login form and can be exploited remotely without any privileges or user interaction.'}] [2, 3]
How can this vulnerability impact me? :
An attacker exploiting this vulnerability can confirm the existence of customer accounts in the system by analyzing response time differences.
This can lead to user information disclosure, potentially aiding further targeted attacks such as phishing or credential stuffing.
The confidentiality impact is rated low, with no impact on data integrity or availability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability is a time-based user enumeration flaw in the user authentication functionality of PrestaShop. It can be detected by measuring differences in response times when attempting to authenticate with different user accounts or email addresses.'}, {'type': 'paragraph', 'content': 'To detect this on your system or network, you can perform timing analysis by sending authentication requests to the PrestaShop front office login form with various email addresses and measuring the response times. A consistent difference in response times may indicate the presence of a valid account.'}, {'type': 'paragraph', 'content': 'Example commands using curl and time measurement in a Unix-like shell could be:'}, {'type': 'list_item', 'content': "Use curl to send login POST requests with different emails and measure the time taken: `time curl -X POST -d '[email protected]&password=any' https://your-prestashop-site.com/login`"}, {'type': 'list_item', 'content': 'Compare the response times for different email addresses to identify timing discrepancies.'}, {'type': 'paragraph', 'content': 'Automated scripts can be written to perform multiple requests and statistically analyze response times to detect user enumeration.'}] [2]
What immediate steps should I take to mitigate this vulnerability?
The immediate and recommended mitigation step is to upgrade PrestaShop to version 8.2.4 or 9.0.3 or later, where this time-based user enumeration vulnerability has been fixed.
There are no known workarounds for this vulnerability, so applying the official security patch by updating the software is essential.
After upgrading, verify that the authentication process no longer reveals timing differences that could be exploited.