Timing Attack Vulnerability in SCRAM Authentication Mechanism Affecting Ongres
CVE-2025-59432

6.6MEDIUM

Key Information:

Vendor

Ongres

Status
Scram
Vendor
CVE Published:
22 September 2025

What is CVE-2025-59432?

A timing vulnerability in the Java implementation of SCRAM arises from using Arrays.equals to compare secret values. This implementation allows variations in execution time based on the number of leading byte matches, potentially enabling attackers to infer sensitive authentication materials through timing side-channel attacks. This issue has been addressed in version 3.2 by replacing the vulnerable comparison method with MessageDigest.isEqual, ensuring constant-time operations for improved security.

Affected Version(s)

scram < 3.2

References

https://github.com/ongres/scram/security/advisories/GHSA-...
x_refsource_CONFIRM
https://github.com/ongres/scram/commit/f04975680d4a67bc84...
x_refsource_MISC
https://docs.oracle.com/en/java/javase/25/docs/api/java.b...
x_refsource_MISC

CVSS V4

Score:
6.6
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2025-59432 : Timing Attack Vulnerability in SCRAM Authentication Mechanism Affecting Ongres