CVE-2025-59432

CVSS v4.0

6.6

Medium

Vector

AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U

Name of the Vulnerable Software and Affected Versions versions prior to 3.2

Description A timing attack issue exists in the SCRAM Java implementation due to the use of Arrays.equals for comparing sensitive values like client proofs and server signatures. Arrays.equals performs a short-circuit comparison, causing variable execution times based on the number of matching leading bytes. This could allow an attacker to perform a timing side-channel attack and potentially reveal authentication information. The issue impacts all users relying on SCRAM authentication. The vulnerable function is Arrays.equals.

Recommendations Upgrade to version 3.2 or later to mitigate this issue.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-385CWE-208

Related Identifiers

CVE-2025-59432

GHSA-3WFH-36RX-9537

OESA-2025-2391

OESA-2025-2392

OESA-2025-2393

OESA-2025-2394

OESA-2025-2395

OESA-2025-2396

OPENSUSE-SU-2025:15680-1

OPENSUSE-SU-2025:20059-1

OPENSUSE-SU-2026:20742-1

SUSE-SU-2025:21016-1

SUSE-SU-2025:4054-1

SUSE-SU-2025_21016-1

SUSE-SU-2025_4054-1

SUSE-SU-2026:21608-1

Affected Products

Debian

Java

Scram

Suse

CVE-2025-59432

Weakness Enumeration

Related Identifiers

Affected Products

References · 36