Jens Ji

**Name of the Vulnerable Software and Affected Versions** Laravel versions 8.x through 9.x before 9.32.0 **Description** The authentication method was discovered to be vulnerable to user enumeration via timeless timing attacks with HTTP/2 multiplexing. This issue is caused by the early return inside the `hasValidCredentials` method in the `IlluminateAuthSessionGuard` class when a user is found to not exist. **Recommendations** For Laravel versions 8.x through 9.x before 9.32.0, update to version 9.32.0 or later to resolve the issue. As a temporary workaround, consider modifying the `hasValidCredentials` method in the `IlluminateAuthSessionGuard` class to prevent early returns that could reveal user existence.