CVE-2025-6386

Name of the Vulnerable Software and Affected Versions: parisneo/lollms versions prior to 20.1

Description: The issue arises from a timing attack vulnerability in the authenticate user function within the lollms authentication.py file. This vulnerability allows attackers to enumerate valid usernames and guess passwords incrementally by analyzing response time differences. The vulnerability is caused by the use of Python's default string equality operator for password comparison, which compares characters sequentially and exits on the first mismatch, leading to variable response times based on the number of matching initial characters.

Recommendations: For versions prior to 20.1, update to version 20.1 to resolve the issue. As a temporary workaround, consider modifying the authenticate user function to use a constant-time string comparison method to prevent variable response times based on password matches.