CVE-2025-9824

ImpactThe attacker can validate if a user exists by checking the time login returns. This timing difference can be used to enumerate valid usernames, after which an attacker could attempt brute force attacks.<br /> <br /> PatchesThis vulnerability has been patched, implementing a timing-safe form login authenticator that ensures consistent response times regardless of whether a user exists or not.<br /> <br /> Technical DetailsThe vulnerability was caused by different response times when:<br /> <br /> * A valid username was provided (password hashing occurred)<br /> * An invalid username was provided (no password hashing occurred)<br /> <br /> <br /> The fix introduces a TimingSafeFormLoginAuthenticator that performs a dummy password hash verification even for non-existent users, ensuring consistent timing.<br /> <br /> WorkaroundsNo workarounds are available. Users should upgrade to the patched version.<br /> <br /> References * https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/03-Identity_Management_Testing/04-Testing_for_Account_Enumeration_and_Guessable_User_Account