CVE-2026-25050

Vendure is an open-source headless commerce platform. Prior to version 3.5.3, the `NativeAuthenticationStrategy.authenticate()` method is vulnerable to a timing attack that allows attackers to enumerate valid usernames (email addresses). In `packages/core/src/config/auth/native-authentication-strategy.ts`, the authenticate method returns immediately if a user is not found. The significant timing difference (~200-400ms for bcrypt vs ~1-5ms for DB miss) allows attackers to reliably distinguish between existing and non-existing accounts. Version 3.5.3 fixes the issue.

Vendure is an open-source headless commerce platform. Prior to version 3.5.3, the `NativeAuthenticationStrategy.authenticate()` method is vulnerable to a timing attack that allows attackers to enumerate valid usernames (email addresses). In `packages/core/src/config/auth/native-authentication-strategy.ts`, the authenticate method returns immediately if a user is not found. The significant timing difference (~200-400ms for bcrypt vs ~1-5ms for DB miss) allows attackers to reliably distinguish between existing and non-existing accounts. Version 3.5.3 fixes the issue.

### Summary The `NativeAuthenticationStrategy.authenticate()` method is vulnerable to a timing attack that allows attackers to enumerate valid usernames (email addresses). ### Details In `packages/core/src/config/auth/native-authentication-strategy.ts`, the authenticate method returns immediately if a user is not found: ```typescript const user = await this.userService.getUserByEmailAddress(ctx, data.username); if (!user) { return false; // Instant return (~1-5ms) } const passwordMatch = await this.verifyUserPassword(ctx, user.id, data.password); // Password check takes ~200-400ms with bcrypt (12 rounds) ``` The significant timing difference (~200-400ms for bcrypt vs ~1-5ms for DB miss) allows attackers to reliably distinguish between existing and non-existing accounts. ### Impact - Attackers can enumerate valid user accounts - Enables targeted brute-force or phishing attacks - Information disclosure (account existence) ### Recommended Fix Perform a dummy bcrypt check when user is not found to ensure consistent response times.

### Summary The `NativeAuthenticationStrategy.authenticate()` method is vulnerable to a timing attack that allows attackers to enumerate valid usernames (email addresses). ### Details In `packages/core/src/config/auth/native-authentication-strategy.ts`, the authenticate method returns immediately if a user is not found: ```typescript const user = await this.userService.getUserByEmailAddress(ctx, data.username); if (!user) { return false; // Instant return (~1-5ms) } const passwordMatch = await this.verifyUserPassword(ctx, user.id, data.password); // Password check takes ~200-400ms with bcrypt (12 rounds) ``` The significant timing difference (~200-400ms for bcrypt vs ~1-5ms for DB miss) allows attackers to reliably distinguish between existing and non-existing accounts. ### Impact - Attackers can enumerate valid user accounts - Enables targeted brute-force or phishing attacks - Information disclosure (account existence) ### Recommended Fix Perform a dummy bcrypt check when user is not found to ensure consistent response times.

Vendure es una plataforma de comercio headless de código abierto. Antes de la versión 3.5.3, el método 'NativeAuthenticationStrategy.authenticate()' es vulnerable a un ataque de temporización que permite a los atacantes enumerar nombres de usuario válidos (direcciones de correo electrónico). En 'packages/core/src/config/auth/native-authentication-strategy.ts', el método authenticate devuelve inmediatamente si no se encuentra un usuario. La diferencia de temporización significativa (~200-400ms para bcrypt frente a ~1-5ms para una falla de DB) permite a los atacantes distinguir de forma fiable entre cuentas existentes y no existentes. La versión 3.5.3 corrige el problema.