CWE-202
AllowedExposure of Sensitive Information Through Data Queries
Abstraction: Base · Status: Draft
When trying to keep information confidential, an attacker can often infer some of the information by using statistics.
59 vulnerabilities reference this CWE, most recent first.
CVE-2019-19000 (GCVE-0-2019-19000)
Vulnerability from cvelistv5 – Published: 2020-04-02 19:49 – Updated: 2024-08-05 02:02| URL | Tags |
|---|---|
| https://search.abb.com/library/Download.aspx?Docu… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T02:02:39.758Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://search.abb.com/library/Download.aspx?DocumentID=9AKK107492A9964\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "eSOMS",
"vendor": "ABB",
"versions": [
{
"status": "affected",
"version": "4"
},
{
"status": "affected",
"version": "5"
},
{
"status": "affected",
"version": "6.0.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "For ABB eSOMS 4.0 to 6.0.3, the Cache-Control and Pragma HTTP header(s) have not been properly configured within the application response. This can potentially allow browsers and proxies to cache sensitive information."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-16",
"description": "CWE-16 Configuration",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-202",
"description": "CWE-202 Exposure of Sensitive Data Through Data Queries",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-04-02T19:49:35.000Z",
"orgId": "2b718523-d88f-4f37-9bbd-300c20644bf9",
"shortName": "ABB"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://search.abb.com/library/Download.aspx?DocumentID=9AKK107492A9964\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "eSOMS Cachecontrol (Pragma) HTTP Header",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cybersecurity@ch.abb.com",
"ID": "CVE-2019-19000",
"STATE": "PUBLIC",
"TITLE": "eSOMS Cachecontrol (Pragma) HTTP Header"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "eSOMS",
"version": {
"version_data": [
{
"version_value": "4"
},
{
"version_value": "5"
},
{
"version_value": "6.0.3"
}
]
}
}
]
},
"vendor_name": "ABB"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "For ABB eSOMS 4.0 to 6.0.3, the Cache-Control and Pragma HTTP header(s) have not been properly configured within the application response. This can potentially allow browsers and proxies to cache sensitive information."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-16 Configuration"
}
]
},
{
"description": [
{
"lang": "eng",
"value": "CWE-202 Exposure of Sensitive Data Through Data Queries"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://search.abb.com/library/Download.aspx?DocumentID=9AKK107492A9964\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch",
"refsource": "CONFIRM",
"url": "https://search.abb.com/library/Download.aspx?DocumentID=9AKK107492A9964\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "2b718523-d88f-4f37-9bbd-300c20644bf9",
"assignerShortName": "ABB",
"cveId": "CVE-2019-19000",
"datePublished": "2020-04-02T19:49:35.000Z",
"dateReserved": "2019-11-15T00:00:00.000Z",
"dateUpdated": "2024-08-05T02:02:39.758Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
GHSA-27H3-CRW2-Q36W
Vulnerability from github – Published: 2026-04-16 15:31 – Updated: 2026-04-16 22:57The SkyWalking OAP /debugging/config/dump endpoint may leak sensitive configuration information of MySQL/PostgreSQL.
This issue affects Apache SkyWalking: from 9.7.0 through 10.3.0.
Users are recommended to upgrade to version 10.4.0, which fixes the issue.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.skywalking:server-core"
},
"ranges": [
{
"events": [
{
"introduced": "9.7.0"
},
{
"fixed": "10.4.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-30778"
],
"database_specific": {
"cwe_ids": [
"CWE-202"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-16T22:57:31Z",
"nvd_published_at": "2026-04-15T11:16:33Z",
"severity": "HIGH"
},
"details": "The SkyWalking OAP /debugging/config/dump endpoint may leak sensitive configuration information of MySQL/PostgreSQL.\n\nThis issue affects Apache SkyWalking: from 9.7.0 through 10.3.0.\n\nUsers are recommended to upgrade to version 10.4.0, which fixes the issue.",
"id": "GHSA-27h3-crw2-q36w",
"modified": "2026-04-16T22:57:31Z",
"published": "2026-04-16T15:31:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30778"
},
{
"type": "WEB",
"url": "https://github.com/apache/skywalking/commit/5a3f6260e4dd681a9132204e5299064bef079886"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/skywalking"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/pvf35o3tp1rqhmrhzj6fg31gvqrqcvn3"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2026/04/15/2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "SkyWalking OAP /debugging/config/dump endpoint may leak sensitive configuration information"
}
GHSA-372P-Q8PM-XRRR
Vulnerability from github – Published: 2024-06-24 21:33 – Updated: 2024-07-03 18:46WAVLINK WN551K1'live_check.shtml enables attackers to obtain sensitive router information.
{
"affected": [],
"aliases": [
"CVE-2024-38897"
],
"database_specific": {
"cwe_ids": [
"CWE-202"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-24T21:15:26Z",
"severity": "MODERATE"
},
"details": "WAVLINK WN551K1\u0027live_check.shtml enables attackers to obtain sensitive router information.",
"id": "GHSA-372p-q8pm-xrrr",
"modified": "2024-07-03T18:46:35Z",
"published": "2024-06-24T21:33:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38897"
},
{
"type": "WEB",
"url": "https://github.com/s4ndw1ch136/IOT-vuln-reports/blob/main/Wavlink/WN551K1/live_check.shtml/README.md"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-3X55-2C2W-5C9F
Vulnerability from github – Published: 2024-06-24 21:33 – Updated: 2024-07-03 18:46An issue in Wavlink WN551K1 allows a remote attacker to obtain sensitive information via the ExportAllSettings.sh component.
{
"affected": [],
"aliases": [
"CVE-2024-38892"
],
"database_specific": {
"cwe_ids": [
"CWE-202"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-24T21:15:26Z",
"severity": "MODERATE"
},
"details": "An issue in Wavlink WN551K1 allows a remote attacker to obtain sensitive information via the ExportAllSettings.sh component.",
"id": "GHSA-3x55-2c2w-5c9f",
"modified": "2024-07-03T18:46:35Z",
"published": "2024-06-24T21:33:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38892"
},
{
"type": "WEB",
"url": "https://github.com/s4ndw1ch136/IOT-vuln-reports/blob/main/Wavlink/WN551K1/ExportLogs.sh/README.md"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-4QCP-WHVM-5MWC
Vulnerability from github – Published: 2023-08-04 00:30 – Updated: 2024-01-25 18:30A vulnerability in the scanning engines of Cisco AsyncOS Software for Cisco Secure Web Appliance could allow an unauthenticated, remote attacker to bypass a configured rule, allowing traffic onto a network that should have been blocked.
This vulnerability is due to improper detection of malicious traffic when the traffic is encoded with a specific content format. An attacker could exploit this vulnerability by using an affected device to connect to a malicious server and receiving crafted HTTP responses. A successful exploit could allow the attacker to bypass an explicit block rule and receive traffic that should have been rejected by the device.
{
"affected": [],
"aliases": [
"CVE-2023-20215"
],
"database_specific": {
"cwe_ids": [
"CWE-202"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-08-03T22:15:11Z",
"severity": "MODERATE"
},
"details": "A vulnerability in the scanning engines of Cisco AsyncOS Software for Cisco Secure Web Appliance could allow an unauthenticated, remote attacker to bypass a configured rule, allowing traffic onto a network that should have been blocked.\n\n This vulnerability is due to improper detection of malicious traffic when the traffic is encoded with a specific content format. An attacker could exploit this vulnerability by using an affected device to connect to a malicious server and receiving crafted HTTP responses. A successful exploit could allow the attacker to bypass an explicit block rule and receive traffic that should have been rejected by the device.",
"id": "GHSA-4qcp-whvm-5mwc",
"modified": "2024-01-25T18:30:37Z",
"published": "2023-08-04T00:30:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-20215"
},
{
"type": "WEB",
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wsa-bypass-vXvqwzsj"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-54JQ-C3M8-4M76
Vulnerability from github – Published: 2026-01-05 23:09 – Updated: 2026-01-06 16:06Summary
Path normalization for static files prevents path traversal, but opens up the ability for an attacker to ascertain the existence of absolute path components.
Impact
If an application uses web.static() (not recommended for production deployments), it may be possible for an attacker to ascertain the existence of path components.
Patch: https://github.com/aio-libs/aiohttp/commit/f2a86fd5ac0383000d1715afddfa704413f0711e
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.13.2"
},
"package": {
"ecosystem": "PyPI",
"name": "aiohttp"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.13.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-69226"
],
"database_specific": {
"cwe_ids": [
"CWE-202",
"CWE-22"
],
"github_reviewed": true,
"github_reviewed_at": "2026-01-05T23:09:51Z",
"nvd_published_at": "2026-01-05T23:15:40Z",
"severity": "LOW"
},
"details": "### Summary\nPath normalization for static files prevents path traversal, but opens up the ability for an attacker to ascertain the\nexistence of absolute path components.\n\n### Impact\nIf an application uses `web.static()` (not recommended for production deployments), it may be possible for an attacker to ascertain the existence of path components.\n\n------\n\nPatch: https://github.com/aio-libs/aiohttp/commit/f2a86fd5ac0383000d1715afddfa704413f0711e",
"id": "GHSA-54jq-c3m8-4m76",
"modified": "2026-01-06T16:06:47Z",
"published": "2026-01-05T23:09:51Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/aio-libs/aiohttp/security/advisories/GHSA-54jq-c3m8-4m76"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69226"
},
{
"type": "WEB",
"url": "https://github.com/aio-libs/aiohttp/commit/f2a86fd5ac0383000d1715afddfa704413f0711e"
},
{
"type": "PACKAGE",
"url": "https://github.com/aio-libs/aiohttp"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U",
"type": "CVSS_V4"
}
],
"summary": "AIOHTTP vulnerable to brute-force leak of internal static \ufb01le path components"
}
GHSA-5G3W-62HR-P464
Vulnerability from github – Published: 2022-05-24 19:16 – Updated: 2025-07-23 15:31A vulnerability in the API endpoints for Cisco DNA Center could allow an authenticated, remote attacker to gain access to sensitive information that should be restricted. The attacker must have valid device credentials. This vulnerability is due to improper access controls on API endpoints. An attacker could exploit the vulnerability by sending a specific API request to an affected application. A successful exploit could allow the attacker to obtain sensitive information about other users who are configured with higher privileges on the application.
{
"affected": [],
"aliases": [
"CVE-2021-34782"
],
"database_specific": {
"cwe_ids": [
"CWE-202"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-10-06T20:15:00Z",
"severity": "MODERATE"
},
"details": "A vulnerability in the API endpoints for Cisco DNA Center could allow an authenticated, remote attacker to gain access to sensitive information that should be restricted. The attacker must have valid device credentials. This vulnerability is due to improper access controls on API endpoints. An attacker could exploit the vulnerability by sending a specific API request to an affected application. A successful exploit could allow the attacker to obtain sensitive information about other users who are configured with higher privileges on the application.",
"id": "GHSA-5g3w-62hr-p464",
"modified": "2025-07-23T15:31:07Z",
"published": "2022-05-24T19:16:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-34782"
},
{
"type": "WEB",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-dnac-infodisc-KyC6YncS"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-6497-PRX7-GPMQ
Vulnerability from github – Published: 2026-01-30 21:30 – Updated: 2026-06-05 17:56SQL injection vulnerability in geopandas before v.1.1.2 allows an attacker to obtain sensitive information via the to_postgis()` function being used to write GeoDataFrames to a PostgreSQL database.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "geopandas"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.1.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-69662"
],
"database_specific": {
"cwe_ids": [
"CWE-202",
"CWE-89"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-01T18:09:10Z",
"nvd_published_at": "2026-01-30T19:16:11Z",
"severity": "HIGH"
},
"details": "SQL injection vulnerability in geopandas before v.1.1.2 allows an attacker to obtain sensitive information via the to_postgis()` function being used to write GeoDataFrames to a PostgreSQL database.",
"id": "GHSA-6497-prx7-gpmq",
"modified": "2026-06-05T17:56:23Z",
"published": "2026-01-30T21:30:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69662"
},
{
"type": "WEB",
"url": "https://github.com/geopandas/geopandas/issues/3679"
},
{
"type": "WEB",
"url": "https://github.com/geopandas/geopandas/pull/3681"
},
{
"type": "WEB",
"url": "https://github.com/geopandas/geopandas/commit/6aa8ef14ffdee4ba1044349ab948e1a1fbfaf419"
},
{
"type": "WEB",
"url": "https://aydinnyunus.github.io/2025/12/27/sql-injection-geopandas"
},
{
"type": "PACKAGE",
"url": "https://github.com/geopandas/geopandas"
},
{
"type": "WEB",
"url": "https://github.com/geopandas/geopandas/releases/tag/v1.1.2"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/geopandas/PYSEC-2026-62.yaml"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2026/04/msg00025.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "geopandas SQL Injection Vulnerability in to_postgis() Allows Information Disclosure"
}
GHSA-6636-XFJ2-VP52
Vulnerability from github – Published: 2023-02-12 09:30 – Updated: 2023-02-21 21:30A vulnerability classified as problematic was found in SourceCodester Best Online News Portal 1.0. Affected by this vulnerability is an unknown functionality of the file check_availability.php. The manipulation of the argument username leads to exposure of sensitive information through data queries. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-220645 was assigned to this vulnerability.
{
"affected": [],
"aliases": [
"CVE-2023-0785"
],
"database_specific": {
"cwe_ids": [
"CWE-202"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-02-12T08:15:00Z",
"severity": "MODERATE"
},
"details": "A vulnerability classified as problematic was found in SourceCodester Best Online News Portal 1.0. Affected by this vulnerability is an unknown functionality of the file check_availability.php. The manipulation of the argument username leads to exposure of sensitive information through data queries. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-220645 was assigned to this vulnerability.",
"id": "GHSA-6636-xfj2-vp52",
"modified": "2023-02-21T21:30:16Z",
"published": "2023-02-12T09:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0785"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.220645"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.220645"
},
{
"type": "WEB",
"url": "https://youtu.be/n_BfBlsUIN8"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-6F65-4FV2-WWCH
Vulnerability from github – Published: 2026-01-30 19:35 – Updated: 2026-01-30 19:35Summary
The NativeAuthenticationStrategy.authenticate() method is vulnerable to a timing attack that allows attackers to enumerate valid usernames (email addresses).
Details
In packages/core/src/config/auth/native-authentication-strategy.ts, the authenticate method returns immediately if a user is not found:
const user = await this.userService.getUserByEmailAddress(ctx, data.username);
if (!user) {
return false; // Instant return (~1-5ms)
}
const passwordMatch = await this.verifyUserPassword(ctx, user.id, data.password);
// Password check takes ~200-400ms with bcrypt (12 rounds)
The significant timing difference (~200-400ms for bcrypt vs ~1-5ms for DB miss) allows attackers to reliably distinguish between existing and non-existing accounts.
Impact
- Attackers can enumerate valid user accounts
- Enables targeted brute-force or phishing attacks
- Information disclosure (account existence)
Recommended Fix
Perform a dummy bcrypt check when user is not found to ensure consistent response times.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@vendure/core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.5.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-25050"
],
"database_specific": {
"cwe_ids": [
"CWE-202"
],
"github_reviewed": true,
"github_reviewed_at": "2026-01-30T19:35:40Z",
"nvd_published_at": "2026-01-30T16:16:13Z",
"severity": "LOW"
},
"details": "### Summary\nThe `NativeAuthenticationStrategy.authenticate()` method is vulnerable to a timing attack that allows attackers to enumerate valid usernames (email addresses).\n\n### Details\nIn `packages/core/src/config/auth/native-authentication-strategy.ts`, the authenticate method returns immediately if a user is not found:\n\n```typescript\nconst user = await this.userService.getUserByEmailAddress(ctx, data.username);\nif (!user) {\n return false; // Instant return (~1-5ms)\n}\nconst passwordMatch = await this.verifyUserPassword(ctx, user.id, data.password);\n// Password check takes ~200-400ms with bcrypt (12 rounds)\n```\n\nThe significant timing difference (~200-400ms for bcrypt vs ~1-5ms for DB miss) allows attackers to reliably distinguish between existing and non-existing accounts.\n\n### Impact\n- Attackers can enumerate valid user accounts\n- Enables targeted brute-force or phishing attacks\n- Information disclosure (account existence)\n\n### Recommended Fix\nPerform a dummy bcrypt check when user is not found to ensure consistent response times.",
"id": "GHSA-6f65-4fv2-wwch",
"modified": "2026-01-30T19:35:40Z",
"published": "2026-01-30T19:35:40Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/vendurehq/vendure/security/advisories/GHSA-6f65-4fv2-wwch"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25050"
},
{
"type": "WEB",
"url": "https://github.com/vendurehq/vendure/commit/7f0c5556ecddb44a5d5208677a45fdd5923b0cc9"
},
{
"type": "PACKAGE",
"url": "https://github.com/vendurehq/vendure"
},
{
"type": "WEB",
"url": "https://github.com/vendurehq/vendure/releases/tag/v3.5.3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U",
"type": "CVSS_V4"
}
],
"summary": "Vendure vulnerable to timing attack that enables user enumeration in NativeAuthenticationStrategy"
}
Mitigation
This is a complex topic. See the [REF-1492] for a good discussion of best practices.
No CAPEC attack patterns related to this CWE.