CVE-2025-70949
Received Received - Intake
Timing Side-Channel in @perfood/couch-auth v0.26.0 Exposes Data

Publication date: 2026-03-05

Last updated on: 2026-03-06

Assigner: MITRE

Description
An observable timing discrepancy in @perfood/couch-auth v0.26.0 allows attackers to access sensitive information via a timing side-channel.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-05
Last Modified
2026-03-06
Generated
2026-06-16
AI Q&A
2026-03-05
EPSS Evaluated
2026-06-15
NVD
CVE-2025-70949
EUVD
EUVD-2025-208328
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
perfood couch-auth to 0.26.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-208 Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-70949 affects the @perfood/couch-auth package, version 0.26.0 and earlier. It is an observable timing discrepancy vulnerability within the authentication logic.

This flaw allows remote attackers to perform side-channel attacks by measuring timing differences during token validation.

By exploiting these timing variations, attackers can infer or guess sensitive tokens used in the authentication process.

Impact Analysis

This vulnerability can potentially lead to unauthorized access or compromise of user accounts.

Attackers exploiting the timing side-channel can gain sensitive information that should be protected during authentication.

Compliance Impact

I don't know

Detection Guidance

This vulnerability involves an observable timing discrepancy in the authentication logic of @perfood/couch-auth v0.26.0, which can be detected by measuring timing differences during token validation.

To detect this vulnerability on your system or network, you would typically perform timing analysis on authentication requests to observe if there are measurable differences in response times that correlate with token validity.

Specific commands or tools are not provided in the available resources, but common approaches include using timing attack scripts or network analysis tools that measure response times precisely, such as curl with timing options or custom scripts in Python or other languages to send authentication requests and measure response delays.

Mitigation Strategies

The provided resources do not specify immediate mitigation steps for this vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-70949. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart