CVE-2025-6386
CVE-2025-6386 is a high-severity vulnerability with a CVSS 3.x base score of 7.5. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-203.
Key facts
- Severity: High (CVSS 3.x base score 7.5)
- EPSS exploit prediction: 0% (29th percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2025-20213
- Weakness: CWE-203
- Published:
- Last modified:
Description
The parisneo/lollms repository is affected by a timing attack vulnerability in the `authenticate_user` function within the `lollms_authentication.py` file. This vulnerability allows attackers to enumerate valid usernames and guess passwords incrementally by analyzing response time differences. The affected version is the latest, and the issue is resolved in version 20.1. The vulnerability arises from the use of Python's default string equality operator for password comparison, which compares characters sequentially and exits on the first mismatch, leading to variable response times based on the number of matching initial characters.
Frequently asked questions
- What is CVE-2025-6386?
- The parisneo/lollms repository is affected by a timing attack vulnerability in the `authenticate_user` function within the `lollms_authentication.py` file. This vulnerability allows attackers to enumerate valid usernames and guess passwords incrementally by analyzing response time differences. The affected version is the latest, and the issue is resolved in version 20.1. The vulnerability arises from the use of Python's default string equality operator for password comparison, which compares characters sequentially and exits on the first mismatch, leading to variable response times based on the number of matching initial characters.
- How severe is CVE-2025-6386?
- CVE-2025-6386 has a CVSS 3.x base score of 7.5, rated high severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity none, and availability none.
- Is CVE-2025-6386 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (29th percentile), an estimate of the probability of exploitation in the next 30 days.
- How do I fix CVE-2025-6386?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its high severity, prioritise patching exposed systems.
- Does CVE-2025-6386 have an EU (EUVD) identifier?
- Yes. CVE-2025-6386 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2025-20213.
- When was CVE-2025-6386 published?
- CVE-2025-6386 was published on 2025-07-07 and last updated on 2026-06-17.
References
- https://github.com/parisneo/lollms/commit/f78437f7b5aa39a78c6201912faf4e0645a38c48
- https://huntr.com/bounties/6da05485-d219-4f18-9ffc-991053524b67
Other CWE-203 (Observable Discrepancy) vulnerabilities
- CVE-2019-25337 — Critical (CVSS 9.8): OwnCloud 8.1.8 contains a username enumeration vulnerability that allows remote attackers to discover user accounts by…
- CVE-2026-23519 — Critical (CVSS 9.8): RustCrypto CMOV provides conditional move CPU intrinsics which are guaranteed on major platforms to execute in…
- CVE-2025-27667 — Critical (CVSS 9.8): Vasion Print (formerly PrinterLogic) before Virtual Appliance Host 22.0.843 Application 20.0.1923 allows Administrative…
- CVE-2024-25714 — Critical (CVSS 9.8): In Rhonabwy through 1.1.13, HMAC signature verification uses a strcmp function that is vulnerable to side-channel…
- CVE-2024-25191 — Critical (CVSS 9.8): php-jwt 1.0.0 uses strcmp (which is not constant time) to verify authentication, which makes it easier to bypass…
- CVE-2024-25190 — Critical (CVSS 9.8): l8w8jwt 2.2.1 uses memcmp (which is not constant time) to verify authentication, which makes it easier to bypass…
Browse all CWE-203 (Observable Discrepancy) vulnerabilities →