From e2766aa233419ae9e46389178f06904afb8052d1 Mon Sep 17 00:00:00 2001 From: Ali Ali Date: Sat, 7 Feb 2026 11:13:47 +0300 Subject: [PATCH 1/3] Improve GHSA-6f65-4fv2-wwch --- .../2026/01/GHSA-6f65-4fv2-wwch/GHSA-6f65-4fv2-wwch.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/advisories/github-reviewed/2026/01/GHSA-6f65-4fv2-wwch/GHSA-6f65-4fv2-wwch.json b/advisories/github-reviewed/2026/01/GHSA-6f65-4fv2-wwch/GHSA-6f65-4fv2-wwch.json index 7fb70d3c4a912..c3b05887d4422 100644 --- a/advisories/github-reviewed/2026/01/GHSA-6f65-4fv2-wwch/GHSA-6f65-4fv2-wwch.json +++ b/advisories/github-reviewed/2026/01/GHSA-6f65-4fv2-wwch/GHSA-6f65-4fv2-wwch.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-6f65-4fv2-wwch", - "modified": "2026-01-30T19:35:40Z", + "modified": "2026-01-30T19:35:42Z", "published": "2026-01-30T19:35:40Z", "aliases": [ "CVE-2026-25050" @@ -11,7 +11,7 @@ "severity": [ { "type": "CVSS_V4", - "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" + "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" } ], "affected": [ @@ -61,7 +61,7 @@ "cwe_ids": [ "CWE-202" ], - "severity": "LOW", + "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2026-01-30T19:35:40Z", "nvd_published_at": "2026-01-30T16:16:13Z" From 5e96ea57b65b9b232b886b7a1473ae344545448f Mon Sep 17 00:00:00 2001 From: Ali Ali Date: Sat, 7 Feb 2026 21:40:33 +0300 Subject: [PATCH 2/3] Improve GHSA-6f65-4fv2-wwch --- .../2026/01/GHSA-6f65-4fv2-wwch/GHSA-6f65-4fv2-wwch.json | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/advisories/github-reviewed/2026/01/GHSA-6f65-4fv2-wwch/GHSA-6f65-4fv2-wwch.json b/advisories/github-reviewed/2026/01/GHSA-6f65-4fv2-wwch/GHSA-6f65-4fv2-wwch.json index c3b05887d4422..8aef732af8f4f 100644 --- a/advisories/github-reviewed/2026/01/GHSA-6f65-4fv2-wwch/GHSA-6f65-4fv2-wwch.json +++ b/advisories/github-reviewed/2026/01/GHSA-6f65-4fv2-wwch/GHSA-6f65-4fv2-wwch.json @@ -8,12 +8,7 @@ ], "summary": "Vendure vulnerable to timing attack that enables user enumeration in NativeAuthenticationStrategy", "details": "### Summary\nThe `NativeAuthenticationStrategy.authenticate()` method is vulnerable to a timing attack that allows attackers to enumerate valid usernames (email addresses).\n\n### Details\nIn `packages/core/src/config/auth/native-authentication-strategy.ts`, the authenticate method returns immediately if a user is not found:\n\n```typescript\nconst user = await this.userService.getUserByEmailAddress(ctx, data.username);\nif (!user) {\n return false; // Instant return (~1-5ms)\n}\nconst passwordMatch = await this.verifyUserPassword(ctx, user.id, data.password);\n// Password check takes ~200-400ms with bcrypt (12 rounds)\n```\n\nThe significant timing difference (~200-400ms for bcrypt vs ~1-5ms for DB miss) allows attackers to reliably distinguish between existing and non-existing accounts.\n\n### Impact\n- Attackers can enumerate valid user accounts\n- Enables targeted brute-force or phishing attacks\n- Information disclosure (account existence)\n\n### Recommended Fix\nPerform a dummy bcrypt check when user is not found to ensure consistent response times.", - "severity": [ - { - "type": "CVSS_V4", - "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" - } - ], + "severity": [], "affected": [ { "package": { @@ -61,7 +56,7 @@ "cwe_ids": [ "CWE-202" ], - "severity": "MODERATE", + "severity": "CRITICAL", "github_reviewed": true, "github_reviewed_at": "2026-01-30T19:35:40Z", "nvd_published_at": "2026-01-30T16:16:13Z" From 7184e58739c317eab383635c186b1c9f0ed938fd Mon Sep 17 00:00:00 2001 From: Ali Ali Date: Sat, 7 Feb 2026 21:40:40 +0300 Subject: [PATCH 3/3] Improve GHSA-6f65-4fv2-wwch