CVE-2025-9824
MEDIUM5.9EPSS 0.08%Mautic Vulnerable to User Enumeration via Response Timing
Description
### Impact The attacker can validate if a user exists by checking the time login returns. This timing difference can be used to enumerate valid usernames, after which an attacker could attempt brute force attacks. ### Patches This vulnerability has been patched, implementing a timing-safe form login authenticator that ensures consistent response times regardless of whether a user exists or not. ### Technical Details The vulnerability was caused by different response times when: - A valid username was provided (password hashing occurred) - An invalid username was provided (no password hashing occurred) The fix introduces a `TimingSafeFormLoginAuthenticator` that performs a dummy password hash verification even for non-existent users, ensuring consistent timing. ### Workarounds No workarounds are available. Users should upgrade to the patched version. ### References - https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/03-Identity_Management_Testing/04-Testing_for_Account_Enumeration_and_Guessable_User_Account - https://github.com/mautic/mautic-security/pull/146
Affected packages (1)
- Packagist/mautic/core>= 4.4.0, < 4.4.17
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.9 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H |
References (5)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-9824
- PATCHhttps://github.com/mautic/mautic
- WEBhttps://github.com/mautic/mautic/commit/6bc4f5f1aabb13df12714ad0ea9fc281cbb867c6
- WEBhttps://github.com/mautic/mautic/commit/b4264c717ce31fbafafcefc04b02ecb9fb911e62
- WEBhttps://github.com/mautic/mautic/security/advisories/GHSA-3ggv-qwcp-j6xg