Common Weakness Enumeration

CWE-202

Allowed

Exposure of Sensitive Information Through Data Queries

Abstraction: Base · Status: Draft

When trying to keep information confidential, an attacker can often infer some of the information by using statistics.

59 vulnerabilities reference this CWE, most recent first.

CVE-2019-19000 (GCVE-0-2019-19000)

Vulnerability from cvelistv5 – Published: 2020-04-02 19:49 – Updated: 2024-08-05 02:02
VLAI
Title
eSOMS Cachecontrol (Pragma) HTTP Header
Summary
For ABB eSOMS 4.0 to 6.0.3, the Cache-Control and Pragma HTTP header(s) have not been properly configured within the application response. This can potentially allow browsers and proxies to cache sensitive information.
CWE
  • CWE-16 - Configuration
  • CWE-202 - Exposure of Sensitive Data Through Data Queries
Assigner
ABB
References
Impacted products
Vendor Product Version
ABB eSOMS Affected: 4
Affected: 5
Affected: 6.0.3
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T02:02:39.758Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://search.abb.com/library/Download.aspx?DocumentID=9AKK107492A9964\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "eSOMS",
          "vendor": "ABB",
          "versions": [
            {
              "status": "affected",
              "version": "4"
            },
            {
              "status": "affected",
              "version": "5"
            },
            {
              "status": "affected",
              "version": "6.0.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "For ABB eSOMS 4.0 to 6.0.3, the Cache-Control and Pragma HTTP header(s) have not been properly configured within the application response. This can potentially allow browsers and proxies to cache sensitive information."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-16",
              "description": "CWE-16 Configuration",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-202",
              "description": "CWE-202 Exposure of Sensitive Data Through Data Queries",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-04-02T19:49:35.000Z",
        "orgId": "2b718523-d88f-4f37-9bbd-300c20644bf9",
        "shortName": "ABB"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://search.abb.com/library/Download.aspx?DocumentID=9AKK107492A9964\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "eSOMS Cachecontrol (Pragma) HTTP Header",
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cybersecurity@ch.abb.com",
          "ID": "CVE-2019-19000",
          "STATE": "PUBLIC",
          "TITLE": "eSOMS Cachecontrol (Pragma) HTTP Header"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "eSOMS",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "4"
                          },
                          {
                            "version_value": "5"
                          },
                          {
                            "version_value": "6.0.3"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "ABB"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "For ABB eSOMS 4.0 to 6.0.3, the Cache-Control and Pragma HTTP header(s) have not been properly configured within the application response. This can potentially allow browsers and proxies to cache sensitive information."
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-16 Configuration"
                }
              ]
            },
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-202 Exposure of Sensitive Data Through Data Queries"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://search.abb.com/library/Download.aspx?DocumentID=9AKK107492A9964\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch",
              "refsource": "CONFIRM",
              "url": "https://search.abb.com/library/Download.aspx?DocumentID=9AKK107492A9964\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
            }
          ]
        },
        "source": {
          "discovery": "EXTERNAL"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "2b718523-d88f-4f37-9bbd-300c20644bf9",
    "assignerShortName": "ABB",
    "cveId": "CVE-2019-19000",
    "datePublished": "2020-04-02T19:49:35.000Z",
    "dateReserved": "2019-11-15T00:00:00.000Z",
    "dateUpdated": "2024-08-05T02:02:39.758Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

GHSA-27H3-CRW2-Q36W

Vulnerability from github – Published: 2026-04-16 15:31 – Updated: 2026-04-16 22:57
VLAI
Summary
SkyWalking OAP /debugging/config/dump endpoint may leak sensitive configuration information
Details

The SkyWalking OAP /debugging/config/dump endpoint may leak sensitive configuration information of MySQL/PostgreSQL.

This issue affects Apache SkyWalking: from 9.7.0 through 10.3.0.

Users are recommended to upgrade to version 10.4.0, which fixes the issue.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.skywalking:server-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "9.7.0"
            },
            {
              "fixed": "10.4.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-30778"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-202"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-16T22:57:31Z",
    "nvd_published_at": "2026-04-15T11:16:33Z",
    "severity": "HIGH"
  },
  "details": "The SkyWalking OAP /debugging/config/dump endpoint may leak sensitive configuration information of MySQL/PostgreSQL.\n\nThis issue affects Apache SkyWalking: from 9.7.0 through 10.3.0.\n\nUsers are recommended to upgrade to version 10.4.0, which fixes the issue.",
  "id": "GHSA-27h3-crw2-q36w",
  "modified": "2026-04-16T22:57:31Z",
  "published": "2026-04-16T15:31:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30778"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/skywalking/commit/5a3f6260e4dd681a9132204e5299064bef079886"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/skywalking"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/pvf35o3tp1rqhmrhzj6fg31gvqrqcvn3"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2026/04/15/2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "SkyWalking OAP /debugging/config/dump endpoint may leak sensitive configuration information"
}

GHSA-372P-Q8PM-XRRR

Vulnerability from github – Published: 2024-06-24 21:33 – Updated: 2024-07-03 18:46
VLAI
Details

WAVLINK WN551K1'live_check.shtml enables attackers to obtain sensitive router information.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-38897"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-202"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-24T21:15:26Z",
    "severity": "MODERATE"
  },
  "details": "WAVLINK WN551K1\u0027live_check.shtml enables attackers to obtain sensitive router information.",
  "id": "GHSA-372p-q8pm-xrrr",
  "modified": "2024-07-03T18:46:35Z",
  "published": "2024-06-24T21:33:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38897"
    },
    {
      "type": "WEB",
      "url": "https://github.com/s4ndw1ch136/IOT-vuln-reports/blob/main/Wavlink/WN551K1/live_check.shtml/README.md"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3X55-2C2W-5C9F

Vulnerability from github – Published: 2024-06-24 21:33 – Updated: 2024-07-03 18:46
VLAI
Details

An issue in Wavlink WN551K1 allows a remote attacker to obtain sensitive information via the ExportAllSettings.sh component.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-38892"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-202"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-24T21:15:26Z",
    "severity": "MODERATE"
  },
  "details": "An issue in Wavlink WN551K1 allows a remote attacker to obtain sensitive information via the ExportAllSettings.sh component.",
  "id": "GHSA-3x55-2c2w-5c9f",
  "modified": "2024-07-03T18:46:35Z",
  "published": "2024-06-24T21:33:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38892"
    },
    {
      "type": "WEB",
      "url": "https://github.com/s4ndw1ch136/IOT-vuln-reports/blob/main/Wavlink/WN551K1/ExportLogs.sh/README.md"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4QCP-WHVM-5MWC

Vulnerability from github – Published: 2023-08-04 00:30 – Updated: 2024-01-25 18:30
VLAI
Details

A vulnerability in the scanning engines of Cisco AsyncOS Software for Cisco Secure Web Appliance could allow an unauthenticated, remote attacker to bypass a configured rule, allowing traffic onto a network that should have been blocked.

This vulnerability is due to improper detection of malicious traffic when the traffic is encoded with a specific content format. An attacker could exploit this vulnerability by using an affected device to connect to a malicious server and receiving crafted HTTP responses. A successful exploit could allow the attacker to bypass an explicit block rule and receive traffic that should have been rejected by the device.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-20215"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-202"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-08-03T22:15:11Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability in the scanning engines of Cisco AsyncOS Software for Cisco Secure Web Appliance could allow an unauthenticated, remote attacker to bypass a configured rule, allowing traffic onto a network that should have been blocked.\n\n This vulnerability is due to improper detection of malicious traffic when the traffic is encoded with a specific content format. An attacker could exploit this vulnerability by using an affected device to connect to a malicious server and receiving crafted HTTP responses. A successful exploit could allow the attacker to bypass an explicit block rule and receive traffic that should have been rejected by the device.",
  "id": "GHSA-4qcp-whvm-5mwc",
  "modified": "2024-01-25T18:30:37Z",
  "published": "2023-08-04T00:30:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-20215"
    },
    {
      "type": "WEB",
      "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wsa-bypass-vXvqwzsj"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-54JQ-C3M8-4M76

Vulnerability from github – Published: 2026-01-05 23:09 – Updated: 2026-01-06 16:06
VLAI
Summary
AIOHTTP vulnerable to brute-force leak of internal static file path components
Details

Summary

Path normalization for static files prevents path traversal, but opens up the ability for an attacker to ascertain the existence of absolute path components.

Impact

If an application uses web.static() (not recommended for production deployments), it may be possible for an attacker to ascertain the existence of path components.


Patch: https://github.com/aio-libs/aiohttp/commit/f2a86fd5ac0383000d1715afddfa704413f0711e

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.13.2"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "aiohttp"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.13.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-69226"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-202",
      "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-05T23:09:51Z",
    "nvd_published_at": "2026-01-05T23:15:40Z",
    "severity": "LOW"
  },
  "details": "### Summary\nPath normalization for static files prevents path traversal, but opens up the ability for an attacker to ascertain the\nexistence of absolute path components.\n\n### Impact\nIf an application uses `web.static()` (not recommended for production deployments), it may be possible for an attacker to ascertain the existence of path components.\n\n------\n\nPatch: https://github.com/aio-libs/aiohttp/commit/f2a86fd5ac0383000d1715afddfa704413f0711e",
  "id": "GHSA-54jq-c3m8-4m76",
  "modified": "2026-01-06T16:06:47Z",
  "published": "2026-01-05T23:09:51Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/aio-libs/aiohttp/security/advisories/GHSA-54jq-c3m8-4m76"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69226"
    },
    {
      "type": "WEB",
      "url": "https://github.com/aio-libs/aiohttp/commit/f2a86fd5ac0383000d1715afddfa704413f0711e"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/aio-libs/aiohttp"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U",
      "type": "CVSS_V4"
    }
  ],
  "summary": "AIOHTTP vulnerable to brute-force leak of internal static \ufb01le path components"
}

GHSA-5G3W-62HR-P464

Vulnerability from github – Published: 2022-05-24 19:16 – Updated: 2025-07-23 15:31
VLAI
Details

A vulnerability in the API endpoints for Cisco DNA Center could allow an authenticated, remote attacker to gain access to sensitive information that should be restricted. The attacker must have valid device credentials. This vulnerability is due to improper access controls on API endpoints. An attacker could exploit the vulnerability by sending a specific API request to an affected application. A successful exploit could allow the attacker to obtain sensitive information about other users who are configured with higher privileges on the application.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-34782"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-202"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-10-06T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability in the API endpoints for Cisco DNA Center could allow an authenticated, remote attacker to gain access to sensitive information that should be restricted. The attacker must have valid device credentials. This vulnerability is due to improper access controls on API endpoints. An attacker could exploit the vulnerability by sending a specific API request to an affected application. A successful exploit could allow the attacker to obtain sensitive information about other users who are configured with higher privileges on the application.",
  "id": "GHSA-5g3w-62hr-p464",
  "modified": "2025-07-23T15:31:07Z",
  "published": "2022-05-24T19:16:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-34782"
    },
    {
      "type": "WEB",
      "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-dnac-infodisc-KyC6YncS"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6497-PRX7-GPMQ

Vulnerability from github – Published: 2026-01-30 21:30 – Updated: 2026-06-05 17:56
VLAI
Summary
geopandas SQL Injection Vulnerability in to_postgis() Allows Information Disclosure
Details

SQL injection vulnerability in geopandas before v.1.1.2 allows an attacker to obtain sensitive information via the to_postgis()` function being used to write GeoDataFrames to a PostgreSQL database.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "geopandas"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.1.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-69662"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-202",
      "CWE-89"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-01T18:09:10Z",
    "nvd_published_at": "2026-01-30T19:16:11Z",
    "severity": "HIGH"
  },
  "details": "SQL injection vulnerability in geopandas before v.1.1.2 allows an attacker to obtain sensitive information via the to_postgis()` function being used to write GeoDataFrames to a PostgreSQL database.",
  "id": "GHSA-6497-prx7-gpmq",
  "modified": "2026-06-05T17:56:23Z",
  "published": "2026-01-30T21:30:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69662"
    },
    {
      "type": "WEB",
      "url": "https://github.com/geopandas/geopandas/issues/3679"
    },
    {
      "type": "WEB",
      "url": "https://github.com/geopandas/geopandas/pull/3681"
    },
    {
      "type": "WEB",
      "url": "https://github.com/geopandas/geopandas/commit/6aa8ef14ffdee4ba1044349ab948e1a1fbfaf419"
    },
    {
      "type": "WEB",
      "url": "https://aydinnyunus.github.io/2025/12/27/sql-injection-geopandas"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/geopandas/geopandas"
    },
    {
      "type": "WEB",
      "url": "https://github.com/geopandas/geopandas/releases/tag/v1.1.2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/geopandas/PYSEC-2026-62.yaml"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2026/04/msg00025.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "geopandas SQL Injection Vulnerability in to_postgis() Allows Information Disclosure"
}

GHSA-6636-XFJ2-VP52

Vulnerability from github – Published: 2023-02-12 09:30 – Updated: 2023-02-21 21:30
VLAI
Details

A vulnerability classified as problematic was found in SourceCodester Best Online News Portal 1.0. Affected by this vulnerability is an unknown functionality of the file check_availability.php. The manipulation of the argument username leads to exposure of sensitive information through data queries. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-220645 was assigned to this vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-0785"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-202"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-02-12T08:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability classified as problematic was found in SourceCodester Best Online News Portal 1.0. Affected by this vulnerability is an unknown functionality of the file check_availability.php. The manipulation of the argument username leads to exposure of sensitive information through data queries. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-220645 was assigned to this vulnerability.",
  "id": "GHSA-6636-xfj2-vp52",
  "modified": "2023-02-21T21:30:16Z",
  "published": "2023-02-12T09:30:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0785"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.220645"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.220645"
    },
    {
      "type": "WEB",
      "url": "https://youtu.be/n_BfBlsUIN8"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6F65-4FV2-WWCH

Vulnerability from github – Published: 2026-01-30 19:35 – Updated: 2026-01-30 19:35
VLAI
Summary
Vendure vulnerable to timing attack that enables user enumeration in NativeAuthenticationStrategy
Details

Summary

The NativeAuthenticationStrategy.authenticate() method is vulnerable to a timing attack that allows attackers to enumerate valid usernames (email addresses).

Details

In packages/core/src/config/auth/native-authentication-strategy.ts, the authenticate method returns immediately if a user is not found:

const user = await this.userService.getUserByEmailAddress(ctx, data.username);
if (!user) {
    return false; // Instant return (~1-5ms)
}
const passwordMatch = await this.verifyUserPassword(ctx, user.id, data.password);
// Password check takes ~200-400ms with bcrypt (12 rounds)

The significant timing difference (~200-400ms for bcrypt vs ~1-5ms for DB miss) allows attackers to reliably distinguish between existing and non-existing accounts.

Impact

  • Attackers can enumerate valid user accounts
  • Enables targeted brute-force or phishing attacks
  • Information disclosure (account existence)

Recommended Fix

Perform a dummy bcrypt check when user is not found to ensure consistent response times.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@vendure/core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.5.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-25050"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-202"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-30T19:35:40Z",
    "nvd_published_at": "2026-01-30T16:16:13Z",
    "severity": "LOW"
  },
  "details": "### Summary\nThe `NativeAuthenticationStrategy.authenticate()` method is vulnerable to a timing attack that allows attackers to enumerate valid usernames (email addresses).\n\n### Details\nIn `packages/core/src/config/auth/native-authentication-strategy.ts`, the authenticate method returns immediately if a user is not found:\n\n```typescript\nconst user = await this.userService.getUserByEmailAddress(ctx, data.username);\nif (!user) {\n    return false; // Instant return (~1-5ms)\n}\nconst passwordMatch = await this.verifyUserPassword(ctx, user.id, data.password);\n// Password check takes ~200-400ms with bcrypt (12 rounds)\n```\n\nThe significant timing difference (~200-400ms for bcrypt vs ~1-5ms for DB miss) allows attackers to reliably distinguish between existing and non-existing accounts.\n\n### Impact\n- Attackers can enumerate valid user accounts\n- Enables targeted brute-force or phishing attacks\n- Information disclosure (account existence)\n\n### Recommended Fix\nPerform a dummy bcrypt check when user is not found to ensure consistent response times.",
  "id": "GHSA-6f65-4fv2-wwch",
  "modified": "2026-01-30T19:35:40Z",
  "published": "2026-01-30T19:35:40Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/vendurehq/vendure/security/advisories/GHSA-6f65-4fv2-wwch"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25050"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vendurehq/vendure/commit/7f0c5556ecddb44a5d5208677a45fdd5923b0cc9"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/vendurehq/vendure"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vendurehq/vendure/releases/tag/v3.5.3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Vendure vulnerable to timing attack that enables user enumeration in NativeAuthenticationStrategy"
}

Mitigation
Architecture and Design

This is a complex topic. See the [REF-1492] for a good discussion of best practices.

No CAPEC attack patterns related to this CWE.