Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-25597 is a time-based user enumeration vulnerability in PrestaShop's user authentication functionality prior to versions 8.2.4 and 9.0.3."}, {'type': 'paragraph', 'content': 'This vulnerability allows an attacker to determine whether a customer account exists by measuring differences in response times during the login process.'}, {'type': 'paragraph', 'content': 'The flaw exists in the front office login form and can be exploited remotely without any privileges or user interaction.'}] [2, 3]

Useful 0 Not Useful 0

Impact Analysis

An attacker exploiting this vulnerability can confirm the existence of customer accounts in the system by analyzing response time differences.

This can lead to user information disclosure, potentially aiding further targeted attacks such as phishing or credential stuffing.

The confidentiality impact is rated low, with no impact on data integrity or availability.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability is a time-based user enumeration flaw in the user authentication functionality of PrestaShop. It can be detected by measuring differences in response times when attempting to authenticate with different user accounts or email addresses.'}, {'type': 'paragraph', 'content': 'To detect this on your system or network, you can perform timing analysis by sending authentication requests to the PrestaShop front office login form with various email addresses and measuring the response times. A consistent difference in response times may indicate the presence of a valid account.'}, {'type': 'paragraph', 'content': 'Example commands using curl and time measurement in a Unix-like shell could be:'}, {'type': 'list_item', 'content': "Use curl to send login POST requests with different emails and measure the time taken: `time curl -X POST -d '[email protected]&password=any' https://your-prestashop-site.com/login`"}, {'type': 'list_item', 'content': 'Compare the response times for different email addresses to identify timing discrepancies.'}, {'type': 'paragraph', 'content': 'Automated scripts can be written to perform multiple requests and statistically analyze response times to detect user enumeration.'}] [2]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate and recommended mitigation step is to upgrade PrestaShop to version 8.2.4 or 9.0.3 or later, where this time-based user enumeration vulnerability has been fixed.

There are no known workarounds for this vulnerability, so applying the official security patch by updating the software is essential.

After upgrading, verify that the authentication process no longer reveals timing differences that could be exploited.

Useful 0 Not Useful 0