CVE-2025-22234

CVE-2025-22234 is associated with Spring Security’s timing-attack mitigation in DaoAuthenticationProvider. The described issue states that the fix applied in CVE-2025-22228 accidentally broke the mitigation, enabling an attacker to infer usernames or authentication behavior via response-time diff...

EUVD-2025-20213

Malicious code in bioql PyPI...

GHSA-4QJH-9FV9-R85R Potential Timing Side-Channel Vulnerability in vLLM’s Chunk-Based Prefix Caching

This issue arises from the prefix caching mechanism, which may expose the system to a timing side-channel attack. Description When a new prompt is processed, if the PageAttention mechanism finds a matching prefix chunk, the prefill process speeds up, which is reflected in the TTFT Time to First...

Timing attacks to guess password in lollms_authentication.py

Description The authenticateuser function in /server/endpoints/lollmsauthentication.py is vulnerable to timing attacks that can be exploited to: Enumerate valid usernames. Guess passwords incrementally by analyzing response time differences. Explanation of the vulnerability def...

vantage6 vulnerable to a username timing attack on recover password/MFA token

Impact Much like https://github.com/vantage6/vantage6/security/advisories/GHSA-45gq-q4xh-cp53, it is possible to find which usernames exist in vantage6 by calling the API routes /recover/lost and /2fa/lost, which send emails to users if they have lost their password or MFA token. Usernames can be...