Home > Vulnerability Database > CVE-2025-6386

Mend.io Vulnerability Database

CVE-2025-6386

Date: July 7, 2025

The parisneo/lollms repository is affected by a timing attack vulnerability in the "authenticate_user" function within the "lollms_authentication.py" file. This vulnerability allows attackers to enumerate valid usernames and guess passwords incrementally by analyzing response time differences. The affected version is the latest, and the issue is resolved in version 20.1. The vulnerability arises from the use of Python's default string equality operator for password comparison, which compares characters sequentially and exits on the first mismatch, leading to variable response times based on the number of matching initial characters.

Severity Score

7.5

Related Resources (5)

Url: https://huntr.com/bounties/6da05485-d219-4f18-9ffc-991053524b67

Url: https://github.com/parisneo/lollms/commit/f78437f7b5aa39a78c6201912faf4e0645a38c48

Url: https://github.com/ParisNeo/lollms

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-6386

Url: https://www.mend.io/vulnerability-database/CVE-2025-6386

Severity Score

7.5

Weakness Type (CWE)

Observable Discrepancy

CWE-203

CVSS v3.1

Base Score:	7.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	NONE
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2025-6386

Date: July 7, 2025

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?