Traefik BasicAuth Middleware Timing Side-Channel Vulnerability Allowing Username Enumeration

A timing side-channel vulnerability has been identified in the BasicAuth middleware of Traefik, an HTTP reverse proxy and load balancer. This vulnerability exists in Traefik versions prior to 2.11.43, 3.6.14, and 3.7.0-rc.2. The issue allows an attacker to enumerate valid usernames by exploiting differences in response times. The vulnerability arises because the variable meant to hold a constant-time fallback secret is always empty, leading to a constant-time comparison that short-circuits in microseconds instead of completing a full bcrypt evaluation. As a result, the vulnerability restores the original timing oracle, enabling the distinction between existing and non-existing users based on authentication response times.

Impact

Exploitation of this vulnerability allows for username enumeration, where an attacker can differentiate between valid and invalid usernames based on response timing differences during authentication.

Remediation

Users can upgrade to Traefik versions 2.11.43, 3.6.14, or 3.7.0-rc.2 to address this vulnerability.