CVE-2025-9824 – mautic/core

Package

Manager: composer
Name: mautic/core
Vulnerable Version: >=4.4.0 <4.4.17 || >=5.0.0-alpha <5.2.8 || >=6.0.0-alpha <6.0.5

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: 0.0004 pctl0.11092

Details

Mautic Vulnerable to User Enumeration via Response Timing ### Impact The attacker can validate if a user exists by checking the time login returns. This timing difference can be used to enumerate valid usernames, after which an attacker could attempt brute force attacks. ### Patches This vulnerability has been patched, implementing a timing-safe form login authenticator that ensures consistent response times regardless of whether a user exists or not. ### Technical Details The vulnerability was caused by different response times when: - A valid username was provided (password hashing occurred) - An invalid username was provided (no password hashing occurred) The fix introduces a `TimingSafeFormLoginAuthenticator` that performs a dummy password hash verification even for non-existent users, ensuring consistent timing. ### Workarounds No workarounds are available. Users should upgrade to the patched version. ### References - https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/03-Identity_Management_Testing/04-Testing_for_Account_Enumeration_and_Guessable_User_Account - https://github.com/mautic/mautic-security/pull/146

Metadata

Created: 2025-09-03T22:20:16Z
Modified: 2025-09-03T22:20:16Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/09/GHSA-3ggv-qwcp-j6xg/GHSA-3ggv-qwcp-j6xg.json
CWE IDs: ["CWE-204"]
Alternative ID: GHSA-3ggv-qwcp-j6xg
Finding: F026
Auto approve: 1