{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25050", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-28T14:50:47.888Z", "datePublished": "2026-01-30T15:11:40.296Z", "dateUpdated": "2026-01-30T15:45:50.463Z"}, "containers": {"cna": {"title": "Vendure vulnerable to timing attack that enables user enumeration in NativeAuthenticationStrategy", "problemTypes": [{"descriptions": [{"cweId": "CWE-202", "lang": "en", "description": "CWE-202: Exposure of Sensitive Information Through Data Queries", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 2.7, "baseSeverity": "LOW", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U", "version": "4.0"}}], "references": [{"name": "https://github.com/vendurehq/vendure/security/advisories/GHSA-6f65-4fv2-wwch", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/vendurehq/vendure/security/advisories/GHSA-6f65-4fv2-wwch"}, {"name": "https://github.com/vendurehq/vendure/releases/tag/v3.5.3", "tags": ["x_refsource_MISC"], "url": "https://github.com/vendurehq/vendure/releases/tag/v3.5.3"}], "affected": [{"vendor": "vendurehq", "product": "vendure", "versions": [{"version": "< 3.5.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-30T15:11:40.296Z"}, "descriptions": [{"lang": "en", "value": "Vendure is an open-source headless commerce platform. Prior to version 3.5.3, the `NativeAuthenticationStrategy.authenticate()` method is vulnerable to a timing attack that allows attackers to enumerate valid usernames (email addresses). In `packages/core/src/config/auth/native-authentication-strategy.ts`, the authenticate method returns immediately if a user is not found. The significant timing difference (~200-400ms for bcrypt vs ~1-5ms for DB miss) allows attackers to reliably distinguish between existing and non-existing accounts. Version 3.5.3 fixes the issue."}], "source": {"advisory": "GHSA-6f65-4fv2-wwch", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-30T15:45:23.480440Z", "id": "CVE-2026-25050", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-30T15:45:50.463Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25050", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-30T15:45:23.480440Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-30T15:45:40.636Z"}}], "cna": {"title": "Vendure vulnerable to timing attack that enables user enumeration in NativeAuthenticationStrategy", "source": {"advisory": "GHSA-6f65-4fv2-wwch", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 2.7, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW"}}], "affected": [{"vendor": "vendurehq", "product": "vendure", "versions": [{"status": "affected", "version": "< 3.5.3"}]}], "references": [{"url": "https://github.com/vendurehq/vendure/security/advisories/GHSA-6f65-4fv2-wwch", "name": "https://github.com/vendurehq/vendure/security/advisories/GHSA-6f65-4fv2-wwch", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/vendurehq/vendure/releases/tag/v3.5.3", "name": "https://github.com/vendurehq/vendure/releases/tag/v3.5.3", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Vendure is an open-source headless commerce platform. Prior to version 3.5.3, the `NativeAuthenticationStrategy.authenticate()` method is vulnerable to a timing attack that allows attackers to enumerate valid usernames (email addresses). In `packages/core/src/config/auth/native-authentication-strategy.ts`, the authenticate method returns immediately if a user is not found. The significant timing difference (~200-400ms for bcrypt vs ~1-5ms for DB miss) allows attackers to reliably distinguish between existing and non-existing accounts. Version 3.5.3 fixes the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-202", "description": "CWE-202: Exposure of Sensitive Information Through Data Queries"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-30T15:11:40.296Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25050", "state": "PUBLISHED", "dateUpdated": "2026-01-30T15:45:50.463Z", "dateReserved": "2026-01-28T14:50:47.888Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-30T15:11:40.296Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:vendure:vendure:*:*:*:*:*:*:*:*", "matchCriteriaId": "0DA0FC83-F3D8-4C6F-AB3F-95B66304DF4E", "versionEndExcluding": "3.5.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Vendure is an open-source headless commerce platform. Prior to version 3.5.3, the `NativeAuthenticationStrategy.authenticate()` method is vulnerable to a timing attack that allows attackers to enumerate valid usernames (email addresses). In `packages/core/src/config/auth/native-authentication-strategy.ts`, the authenticate method returns immediately if a user is not found. The significant timing difference (~200-400ms for bcrypt vs ~1-5ms for DB miss) allows attackers to reliably distinguish between existing and non-existing accounts. Version 3.5.3 fixes the issue."}], "id": "CVE-2026-25050", "lastModified": "2026-02-26T21:59:27.637", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.7, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "UNREPORTED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-01-30T16:16:13.967", "references": [{"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/vendurehq/vendure/releases/tag/v3.5.3"}, {"source": "security-advisories@github.com", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://github.com/vendurehq/vendure/security/advisories/GHSA-6f65-4fv2-wwch"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-202"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T01:06:39.560655+00:00", "value": {"mitigation_remediation": ["Upgrade Vendure to version 3.5.3 or later to eliminate the timing discrepancy", "If an upgrade cannot be performed immediately, introduce a constant or randomized delay in the authentication response to mask timing differences", "Implement rate limiting on the authentication endpoint and monitor for patterns of enumeration attempts"], "summary": {"action": "Apply Patch", "impact": "User Enumeration"}, "threat_synthesis": {"affected_systems": "Vendure, the open\u2011source headless commerce platform maintained by vendurehq. Any deployment using a release prior to version 3.5.3 is affected. The fix was introduced in release 3.5.3 and later versions are not vulnerable.", "description_and_impact": "The vulnerability resides in Vendure\u2019s NativeAuthenticationStrategy where the authenticate method exits immediately for unknown users, creating a measurable timing gap compared to existing accounts. This timing discrepancy, roughly 200-400 milliseconds for bcrypt password verification versus only 1-5 milliseconds for a database miss, can be leveraged by an attacker to reliably determine whether a specific email address corresponds to a valid account. The outcome is information disclosure in the form of enumerating valid user identities, potentially aiding further credential-based attacks.", "risk_and_exploitability": "The CVSS score of 2.7 indicates a low severity impact, and the EPSS score of less than 1% suggests that exploitation is unlikely to be widespread at present. The vulnerability is not listed in the CISA KEV catalog. Although the attack vector is remote\u2014requiring only repeated authentication requests against the public API\u2014an attacker can craft automated timing measurements to enumerate accounts. The weakness is a timing side\u2011channel and therefore requires no additional privileges or special conditions to exploit. "}}}}, "created": "2026-02-02T09:27:30.214809+00:00", "updated": "2026-04-18T01:15:05.987059+00:00", "vendors": ["vendure", "vendure$PRODUCT$vendure"]}