CVE-2022-40482

Name of the Vulnerable Software and Affected Versions Laravel versions 8.x through 9.x before 9.32.0

Description The authentication method was discovered to be vulnerable to user enumeration via timeless timing attacks with HTTP/2 multiplexing. This issue is caused by the early return inside the hasValidCredentials method in the IlluminateAuthSessionGuard class when a user is found to not exist.

Recommendations For Laravel versions 8.x through 9.x before 9.32.0, update to version 9.32.0 or later to resolve the issue. As a temporary workaround, consider modifying the hasValidCredentials method in the IlluminateAuthSessionGuard class to prevent early returns that could reveal user existence.