Vendure Native Authentication Strategy Timing Attack Vulnerability Allowing User Enumeration

A timing attack vulnerability has been identified in the Native Authentication Strategy of Vendure, an open-source headless commerce platform, prior to version 3.5.3. The vulnerability allows attackers to enumerate valid usernames (email addresses) by exploiting a significant timing difference in the authentication response. When a user is not found, the method returns almost instantly, whereas a successful password verification with bcrypt takes considerably longer. This discrepancy enables reliable distinction between existing and non-existing accounts, potentially leading to targeted brute-force or phishing attacks.

Impact

Exploitation of this vulnerability allows for the enumeration of valid user accounts, which could be followed by targeted brute-force or phishing attacks.

Remediation

Users can upgrade to Vendure version 3.5.3 or later, where this vulnerability has been patched. Instructions for updating can be found in the Vendure documentation.