CVE-2026-25050

Name of the Vulnerable Software and Affected Versions Vendure versions prior to 3.5.3

Description Vendure, an open-source headless commerce platform, contains a flaw in the NativeAuthenticationStrategy.authenticate() method. This issue allows attackers to enumerate valid usernames (email addresses) through a timing attack. The authenticate method, located in packages/core/src/config/auth/native-authentication-strategy.ts, returns quickly if a user is not found, while authentication attempts with valid users experience a noticeable delay due to bcrypt processing. This timing difference enables attackers to reliably determine the existence of accounts.

Recommendations Update to version 3.5.3 or later.