Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-208 (通过时间差异性导致的信息暴露) — Vulnerability Class 103

103 vulnerabilities classified as CWE-208 (通过时间差异性导致的信息暴露). AI Chinese analysis included.

CWE-208 represents an information leakage weakness where an application’s response time varies based on internal state, inadvertently revealing sensitive data to external observers. Attackers typically exploit this by measuring the duration of operations, such as login attempts or database queries, to infer the existence of valid usernames or correct password characters. By analyzing these subtle timing differences, adversaries can bypass authentication mechanisms or extract confidential information without direct access. To mitigate this risk, developers must ensure that all security-critical operations take a constant amount of time, regardless of the outcome. This involves implementing uniform error handling, using constant-time comparison algorithms for secrets, and avoiding early returns that expose processing stages. By standardizing execution duration, applications prevent attackers from leveraging timing discrepancies to gain unauthorized insights into system states or credentials.

MITRE CWE Description
Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not. In security-relevant contexts, even small variations in timing can be exploited by attackers to indirectly infer certain details about the product's internal operations. For example, in some cryptographic algorithms, attackers can use timing differences to infer certain properties about a private key, making the key easier to guess. Timing discrepancies effectively form a timing side channel.
Common Consequences (1)
Confidentiality, Access ControlRead Application Data, Bypass Protection Mechanism
Examples (2)
Consider an example hardware module that checks a user-provided password to grant access to a user. The user-provided password is compared against a golden value in a byte-by-byte manner.
always_comb @ (posedge clk) begin assign check_pass[3:0] = 4'b0; for (i = 0; i < 4; i++) begin if (entered_pass[(i*8 - 1) : i] eq golden_pass([i*8 - 1) : i]) assign check_pass[i] = 1; continue; else assign check_pass[i] = 0; break; end assign grant_access = (check_pass == 4'b1111) ? 1'b1: 1'b0; end
Bad · Verilog
always_comb @ (posedge clk) begin assign check_pass[3:0] = 4'b0; for (i = 0; i < 4; i++) begin if (entered_pass[(i*8 - 1) : i] eq golden_pass([i*8 -1) : i]) assign check_pass[i] = 1; continue; else assign check_pass[i] = 0; continue; end assign grant_access = (check_pass == 4'b1111) ? 1'b1: 1'b0; end
Good · Verilog
In this example, the attacker observes how long an authentication takes when the user types in the correct password.
def validate_password(actual_pw, typed_pw): if len(actual_pw) <> len(typed_pw): return 0 for i in len(actual_pw): if actual_pw[i] <> typed_pw[i]: return 0 return 1
Bad · Python
CVE IDTitleCVSSSeverityPublished
CVE-2026-41588 RELATE: Timing Attack Vulnerability in course/auth.py — check_sign_in_key() — relate 9.0 Critical2026-05-08
CVE-2026-41161 Username Enumeration via Timing Attack — server--2026-05-08
CVE-2026-33006 Apache HTTP Server: mod_auth_digest timing attack — Apache HTTP Server 8.1AIHighAI2026-05-04
CVE-2026-41263 Traefik: BasicAuth middleware: timing side-channel vulnerability — traefik 3.7AILowAI2026-04-30
CVE-2026-41407 OpenClaw < 2026.4.2 - Timing Side Channel in Shared-Secret Comparison — OpenClaw 3.7 Low2026-04-28
CVE-2026-40972 VMware Spring Boot 安全漏洞 — Spring Boot 7.5 High2026-04-27
CVE-2026-41244 Mojic: Observable Timing Discrepancy in HMAC Verification — mojic 4.7 Medium2026-04-24
CVE-2026-41418 4ga Boards: User Enumeration via Timing Side-Channel in Authentication Endpoint — 4gaBoards 5.3 Medium2026-04-24
CVE-2026-40263 Note Mark: Username Enumeration via Login Endpoint Timing Side-Channel — note-mark 3.7 Low2026-04-16
CVE-2026-33877 ApostropheCMS: User Enumeration via Timing Side Channel in Password Reset Endpoint — apostrophe 3.7 Low2026-04-15
CVE-2026-5086 Crypt::SecretBuffer versions before 0.019 for Perl is suseceptible to timing attacks — Crypt::SecretBuffer 5.9 -2026-04-13
CVE-2026-40194 phpseclib has a variable-time HMAC comparison in SSH2::get_binary_packet() using != instead of hash_equals() — phpseclib 3.7 Low2026-04-10
CVE-2026-39321 Parse Server has a login timing side-channel reveals user existence — parse-server 4.8AIMediumAI2026-04-07
CVE-2026-32595 Traefik: BasicAuth Middleware Timing Attack Allows Username Enumeration — traefik 3.7 -2026-03-20
CVE-2026-33129 h3 has an observable timing discrepancy in basic auth utils — h3 5.9 Medium2026-03-20
CVE-2026-32935 phpseclib's AES-CBC unpadding susceptible to padding oracle timing attack — phpseclib 5.9 -2026-03-20
CVE-2026-32702 Cleanuparr has Username Enumeration via Timing Attack — Cleanuparr 3.7AILowAI2026-03-13
CVE-2026-28475 OpenClaw < 2026.2.13 - Timing Attack via Hook Token Comparison — OpenClaw 4.8 Medium2026-03-05
CVE-2026-28464 OpenClaw < 2026.2.12 - Timing Attack in Hooks Token Authentication — OpenClaw 5.9 Medium2026-03-05
CVE-2026-3337 Timing Side-Channel in AES-CCM Tag Verification in AWS-LC — AWS-LC 5.9 Medium2026-03-02
CVE-2026-23901 Apache Shiro: Brute force attack possible to determine valid user names — Apache Shiro 6.5 -2026-02-10
CVE-2025-68621 Trilium Notes has a Timing Attack Vulnerability in /api/login/sync — Trilium 7.4 High2026-02-06
CVE-2026-25597 PrestaShop has a time based enumeration in FO login form — PrestaShop 5.3 Medium2026-02-06
CVE-2025-13473 Username enumeration through timing difference in mod_wsgi authentication handler — Django 3.7 -2026-02-03
CVE-2026-23892 OctoPrint has Timing Side-Channel Vulnerability in API Key Authentication — OctoPrint 5.9AIMediumAI2026-01-27
CVE-2025-22234 Spring Security - BCrypt Password Encoder maximum password length breaks timing attack mitigation — Spring Security 5.3 Medium2026-01-22
CVE-2026-23996 FastAPI Api Key has a timing side-channel in verify_key that allows statistical key validity detection — fastapi-api-key 3.7 Low2026-01-21
CVE-2026-23849 File Browser vulnerable to Username Enumeration via Timing Attack in /api/login — filebrowser 5.3 Medium2026-01-19
CVE-2026-23519 RustCrypto cmov: thumbv6m-none-eabi compiler emits non-constant time assembly when using cmovnz — utils 7.5AIHighAI2026-01-15
CVE-2025-52457 Gallagher HBUS Devices 安全漏洞 — HBUS Devices 5.7 Medium2025-11-18

Vulnerabilities classified as CWE-208 (通过时间差异性导致的信息暴露) represent 103 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.