Christbowel

**Name of the Vulnerable Software and Affected Versions** Vendure versions prior to 3.5.3 **Description** Vendure, an open-source headless commerce platform, contains a flaw in the `NativeAuthenticationStrategy.authenticate()` method. This issue allows attackers to enumerate valid usernames (email addresses) through a timing attack. The `authenticate` method, located in `packages/core/src/config/auth/native-authentication-strategy.ts`, returns quickly if a user is not found, while authentication attempts with valid users experience a noticeable delay due to bcrypt processing. This timing difference enables attackers to reliably determine the existence of accounts. **Recommendations** Update to version 3.5.3 or later.