Publish GHSA-43fj-qp3h-hrh5

advisory-database[bot] · advisory-database[bot] · commit 97a548ba5eec · 2026-04-15T18:59:50.000Z
diff --git a/advisories/github-reviewed/2026/04/GHSA-43fj-qp3h-hrh5/GHSA-43fj-qp3h-hrh5.json b/advisories/github-reviewed/2026/04/GHSA-43fj-qp3h-hrh5/GHSA-43fj-qp3h-hrh5.json
@@ -0,0 +1,58 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-43fj-qp3h-hrh5",
+  "modified": "2026-04-15T18:57:50Z",
+  "published": "2026-04-15T18:57:50Z",
+  "aliases": [],
+  "summary": "Sync-in Server has Username Enumeration via Timing Attack",
+  "details": "### Summary\nThe `/api/auth/login` endpoint contains a logic flaw that allows unauthenticated remote attackers to enumerate valid usernames by measuring the application's response time.\n\n### Details\nThe logic flaw can be located at the below point in source:\nhttps://github.com/Sync-in/server/blob/7868bb2b3025f92e6c38087456304758713971b2/backend/src/applications/users/services/users-queries.service.ts#L91-L95\n\nEndpoints used for authentication should respond to the user with a consistent cadence, preventing remote actors from deriving sensitive information about an application based on backend behavior. In the case of authentication endpoints, this timing discrepancy is often caused by short-circuiting due to the lack of a matched user to compare against - as is the case with Sync-in.\n\n### Validation\nTickTock Enum (Burp Suite Extension) was utilized to validate this finding. Authentication attempts with a valid username see a response from the application at around 350-400ms on average, while invalid usernames are returned at only 95-100ms on average.\n<img width=\"1302\" height=\"284\" alt=\"image\" src=\"https://github.com/user-attachments/assets/31eeb72a-c3c2-4057-ac69-c0c92f0bbd4e\" />\n\n### Impact\nAn unauthenticated remote attacker can enumerate valid usernames. This significantly weakens the application's security posture by facilitating targeted brute-force attacks, stuffing, social engineering, and a suite of other more targeted attacks.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "@sync-in/server"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2.2.0"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 2.1.0"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/Sync-in/server/security/advisories/GHSA-43fj-qp3h-hrh5"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/Sync-in/server"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-208"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-15T18:57:50Z",
+    "nvd_published_at": null
+  }
+}
