CVE-2025-6386

The parisneo/lollms repository is affected by a timing attack vulnerability in the authenticateuser function within the lollmsauthentication.py file. This vulnerability allows attackers to enumerate valid usernames and guess passwords incrementally by analyzing response time differences. The...

Lord of Large Language Models vulnerable to Observable Discrepancy attack via authenticate_user function

The parisneo/lollms repository is affected by a timing attack vulnerability in the authenticateuser function within the lollmsauthentication.py file. This vulnerability allows attackers to enumerate valid usernames and guess passwords incrementally by analyzing response time differences. The...

GHSA-J5PR-VRJJ-9V4H Lord of Large Language Models vulnerable to Observable Discrepancy attack via authenticate_user function

The parisneo/lollms repository is affected by a timing attack vulnerability in the authenticateuser function within the lollmsauthentication.py file. This vulnerability allows attackers to enumerate valid usernames and guess passwords incrementally by analyzing response time differences. The...

CVE-2025-6386

The parisneo/lollms repository is affected by a timing attack vulnerability in the authenticateuser function within the lollmsauthentication.py file. This vulnerability allows attackers to enumerate valid usernames and guess passwords incrementally by analyzing response time differences. The...

CVE-2025-6386

The parisneo/lollms repository is affected by a timing attack vulnerability in the authenticateuser function within the lollmsauthentication.py file. This vulnerability allows attackers to enumerate valid usernames and guess passwords incrementally by analyzing response time differences. The...

CVE-2025-6386

The CVE relates to parisneo/lollms, where the authenticate_user function in lollms_authentication.py is vulnerable to a timing attack that enables username enumeration and incremental password guessing. The root cause is the use of Python’s default string equality operator, which compares charact...

CVE-2025-6386 Timing Attack Vulnerability in parisneo/lollms

The parisneo/lollms repository is affected by a timing attack vulnerability in the authenticateuser function within the lollmsauthentication.py file. This vulnerability allows attackers to enumerate valid usernames and guess passwords incrementally by analyzing response time differences. The...

CVE-2025-6386 Timing Attack Vulnerability in parisneo/lollms

The parisneo/lollms repository is affected by a timing attack vulnerability in the authenticateuser function within the lollmsauthentication.py file. This vulnerability allows attackers to enumerate valid usernames and guess passwords incrementally by analyzing response time differences. The...

LoLLMs 安全漏洞

LoLLMs is a large language and multimodal system by the individual developer Saifeddine ALOUI. A security vulnerability exists in LoLLMs that stems from a risk of a timing difference attack in the authenticateuser function in lollmsauthentication.py, which could lead to username enumeration and...

PT-2025-28157 · Parisneo · Lollms

Name of the Vulnerable Software and Affected Versions: parisneo/lollms versions prior to 20.1 Description: The issue arises from a timing attack vulnerability in the authenticate user function within the lollms authentication.py file. This vulnerability allows attackers to enumerate valid usernam...

CVE-2025-6056

Timing difference in password reset in Ergon Informatik AG's Airlock IAM 7.7.9, 8.0.8, 8.1.7, 8.2.4 and 8.3.1 allows unauthenticated attackers to enumerate usernames...

PT-2025-30211 · Arm · Mbed Tls

Name of the Vulnerable Software and Affected Versions: Mbed TLS versions 3.6.1 through 3.6.3 Description: A timing discrepancy in block cipher padding removal allows an attacker to recover the plaintext when PKCS7 padding mode is used. Recommendations: Update to version 3.6.4 or later...

UBUNTU-CVE-2025-27587

OpenSSL 3.0.0 through 3.3.2 on the PowerPC architecture is vulnerable to a Minerva attack, exploitable by measuring the time of signing of random messages using the EVPDigestSign API, and then using the private key to extract the K value nonce from the signatures. Next, based on the bit size of t...

TencentOS Server 3: openssl (TSSA-2023:0021)

The version of Tencent Linux installed on the remote TencentOS Server 3 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the TSSA-2023:0021 advisory. Package updates are available for TencentOS Server 3 that fix the following vulnerabilities:...

TencentOS Server 4: iperf3 (TSSA-2024:0494)

The version of Tencent Linux installed on the remote TencentOS Server 4 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the TSSA-2024:0494 advisory. Package updates are available for TencentOS Server 4 that fix the following vulnerabilities:...

Security Bulletin: Malicious clients with network access to the collector may perform a timing attack against a collector with this authenticator to guess the configured tokens, affects watsonx.data

Summary The bearertokenauth extension's server authenticator performs a simple, non-constant time string comparison of the received & configured bearer tokens. This impacts anyone using the bearertokenauth server authenticator. Malicious clients with network access to the collector may perform a...

SignXML's signature verification with HMAC is vulnerable to a timing attack

When verifying signatures with X509 certificate validation turned off and HMAC shared secret set signxml.XMLVerifier.verifyrequirex509=False, hmackey=..., prior versions of SignXML are vulnerable to a potential timing attack. The verifier may leak information about the correct HMAC when comparing...

GHSA-GMHF-GG8W-JW42 SignXML's signature verification with HMAC is vulnerable to a timing attack

When verifying signatures with X509 certificate validation turned off and HMAC shared secret set signxml.XMLVerifier.verifyrequirex509=False, hmackey=..., prior versions of SignXML are vulnerable to a potential timing attack. The verifier may leak information about the correct HMAC when comparing...

CVE-2025-48995

SignXML is an implementation of the W3C XML Signature standard in Python. When verifying signatures with X509 certificate validation turned off and HMAC shared secret set signxml.XMLVerifier.verifyrequirex509=False, hmackey=..., versions of SignXML prior to 4.0.4 are vulnerable to a potential...

Timing Attack

Overview signxml is a Python XML Signature and XAdES library Affected versions of this package are vulnerable to Timing Attack due to the verify function in XMLVerifier. An attacker can infer the correct HMAC used for XML signature verification by observing the time it takes to compare the comput...