Static Web Server (SWS) is a production-ready web server suitable for static web files or assets. In versions 2.1.0 through 2.40.1, a…
GitHub_M·CWE-204·Published 2026-02-20
Static Web Server (SWS) is a production-ready web server suitable for static web files or assets. In versions 2.1.0 through 2.40.1, a timing-based username enumeration vulnerability in Basic Authentication allows attackers to identify valid users by exploiting early responses for invalid usernames, enabling targeted brute-force or credential-stuffing attacks. SWS checks whether a username exists before verifying the password, causing valid usernames to follow a slower code path (e.g., bcrypt hashing) while invalid usernames receive an immediate 401 response. This timing discrepancy allows attackers to enumerate valid accounts by measuring response-time differences. This issue has been fixed in version 2.41.0.
Static Web Server (SWS) is a production-ready web server suitable for static web files or assets. In versions 2.1.0 through 2.40.1, a timing-based username enumeration vulnerability in Basic Authentication allows attackers to identify valid users by exploiting early responses for invalid usernames, enabling targeted brute-force or credential-stuffing attacks. SWS checks whether a username exists before verifying the password, causing valid usernames to follow a slower code path (e.g., bcrypt hashing) while invalid usernames receive an immediate 401 response. This timing discrepancy allows attackers to enumerate valid accounts by measuring response-time differences. This issue has been fixed in version 2.41.0.
## Summary A Timing-based username enumeration in Basic Authentication vulnerability due to early response on invalid usernames could allow attackers to identify valid users and focus their efforts on targeted brute-force or credential-stuffing attacks. ## Details SWS validates the provided username before performing any password verification. - **Invalid Username:** The server returns a `401 Unauthorized` response immediately. - **Valid Username:** The server proceeds to verify the password (e.g., using `bcrypt`), which introduces a different execution path and measurable timing discrepancy. This allows an attacker to distinguish between existing and non-existing accounts by analyzing response times. ## PoC The following statistical results were obtained by measuring the mean response time over 100 iterations using a custom Rust script: | User Type | Average Response Time | | :--- | :--- | | **Invalid User** | 0.409861 ms | | **Valid User** | 0.250925 ms | | **Difference** | **~0.158936 ms** | While the valid user responded faster in this specific test environment, the statistically significant gap confirms that the authentication logic does not execute in constant time. ## Impact Users using the SWS' Basic Authentication feature are primarily impacted.
## Summary A Timing-based username enumeration in Basic Authentication vulnerability due to early response on invalid usernames could allow attackers to identify valid users and focus their efforts on targeted brute-force or credential-stuffing attacks. ## Details SWS validates the provided username before performing any password verification. - **Invalid Username:** The server returns a `401 Unauthorized` response immediately. - **Valid Username:** The server proceeds to verify the password (e.g., using `bcrypt`), which introduces a different execution path and measurable timing discrepancy. This allows an attacker to distinguish between existing and non-existing accounts by analyzing response times. ## PoC The following statistical results were obtained by measuring the mean response time over 100 iterations using a custom Rust script: | User Type | Average Response Time | | :--- | :--- | | **Invalid User** | 0.409861 ms | | **Valid User** | 0.250925 ms | | **Difference** | **~0.158936 ms** | While the valid user responded faster in this specific test environment, the statistically significant gap confirms that the authentication logic does not execute in constant time. ## Impact Users using the SWS' Basic Authentication feature are primarily impacted.
Servidor Web Estático (SWS) es un servidor web listo para producción, adecuado para archivos web estáticos o activos. En las versiones 2.1.0 a la 2.40.1, una vulnerabilidad de enumeración de nombres de usuario basada en tiempo en la Autenticación Básica permite a los atacantes identificar usuarios válidos explotando respuestas tempranas para nombres de usuario inválidos, lo que permite ataques de fuerza bruta dirigidos o de relleno de credenciales. SWS verifica si un nombre de usuario existe antes de verificar la contraseña, haciendo que los nombres de usuario válidos sigan una ruta de código más lenta (por ejemplo, el hash bcrypt) mientras que los nombres de usuario inválidos reciben una respuesta 401 inmediata. Esta discrepancia de tiempo permite a los atacantes enumerar cuentas válidas midiendo las diferencias en el tiempo de respuesta. Este problema ha sido solucionado en la versión 2.41.0.
| Version | Type | Source | Base | Exp | Impact | Vector |
|---|---|---|---|---|---|---|
| 3.1 | Primary | cve.org | 5.3 | — | — | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
| 3.1 | Primary | cve.org | 5.3 | — | — | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
| 3.1 | Secondary | NVD | 5.3 | 3.9 | 1.4 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
| 3.1 | Secondary | GHSA | 5.3 | — | — | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |