We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2025-6386

Timing Attack Vulnerability in parisneo/lollms



Description

The parisneo/lollms repository is affected by a timing attack vulnerability in the `authenticate_user` function within the `lollms_authentication.py` file. This vulnerability allows attackers to enumerate valid usernames and guess passwords incrementally by analyzing response time differences. The affected version is the latest, and the issue is resolved in version 20.1. The vulnerability arises from the use of Python's default string equality operator for password comparison, which compares characters sequentially and exits on the first mismatch, leading to variable response times based on the number of matching initial characters.

Reserved 2025-06-19 | Published 2025-07-07 | Updated 2025-07-07 | Assigner @huntr_ai


HIGH: 7.5CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Problem types

CWE-203 Observable Discrepancy

Product status

Any version before 20.1
affected

References

huntr.com/bounties/6da05485-d219-4f18-9ffc-991053524b67

github.com/...ommit/f78437f7b5aa39a78c6201912faf4e0645a38c48

cve.org (CVE-2025-6386)

nvd.nist.gov (CVE-2025-6386)

Download JSON

Share this page
https://cve.threatint.eu/CVE/CVE-2025-6386

Support options

Helpdesk Chat, Email, Knowledgebase
© Copyright 2025 THREATINT
Made in Cyprus with +
 System status
Find us on
Data Privacy
Terms of Use
Logo BSI Allianz für Cyber-Sicherheit
Error loading Crisp.chat. Please check your web content filter and browser plugins.