GHSA-MJ7R-X3H3-7RMR

Vulnerability from github – Published: 2026-04-16 20:42 – Updated: 2026-04-16 20:42
VLAI?
Summary
ApostropheCMS: User Enumeration via Timing Side Channel in Password Reset Endpoint
Details

Summary

The password reset endpoint (/api/v1/@apostrophecms/login/reset-request) exhibits a measurable timing side channel that allows unauthenticated attackers to enumerate valid usernames and email addresses. When a user is not found, the handler returns after a fixed 2-second artificial delay, but when a valid user is found, it performs database writes and SMTP operations with no equivalent delay normalization, producing a distinguishable timing profile.

Details

The resetRequest handler in modules/@apostrophecms/login/index.js attempts to obscure the user-not-found path with an artificial delay, but fails to normalize the timing of the user-found path:

User not found — fixed 2000ms delay (index.js:309-314):

if (!user) {
  await wait();  // wait = (t = 2000) => Promise.delay(t)
  self.apos.util.error(
    `Reset password request error - the user ${email} doesn\`t exist.`
  );
  return;
}

User found — variable-duration DB + SMTP operations, no artificial delay (index.js:323-355):

const reset = self.apos.util.generateId();
user.passwordReset = reset;
user.passwordResetAt = new Date();
await self.apos.user.update(req, user, { permissions: false });
// ... URL construction ...
await self.email(req, 'passwordResetEmail', {
  user,
  url: parsed.toString(),
  site
}, {
  to: user.email,
  subject: req.t('apostrophe:passwordResetRequest', { site })
});

The user-found path includes a MongoDB update() call and an SMTP email() send, which together produce response times that differ measurably from the fixed 2000ms delay. Depending on SMTP server latency, responses for valid users will either be noticeably faster (local/fast SMTP) or slower (remote SMTP) than the constant 2-second delay for invalid users.

Additionally, the getPasswordResetUser method (index.js:664-666) accepts both username and email via an $or query, enabling enumeration of both identifiers:

const criteriaOr = [
  { username: email },
  { email }
];

There is no rate limiting on the reset endpoint. The checkLoginAttempts throttle (index.js:978) is only applied to the login flow, allowing unlimited rapid probing of the reset endpoint.

PoC

Prerequisites: An Apostrophe instance with passwordReset: true enabled in @apostrophecms/login configuration.

Step 1 — Baseline invalid user timing:

for i in $(seq 1 10); do
  curl -s -o /dev/null -w "%{time_total}\n" \
    -X POST http://localhost:3000/api/v1/@apostrophecms/login/reset-request \
    -H "Content-Type: application/json" \
    -d '{"email": "nonexistent-user-'$i'@example.com"}'
done
# Expected: all responses cluster tightly around 2.0xx seconds

Step 2 — Test known valid user:

for i in $(seq 1 10); do
  curl -s -o /dev/null -w "%{time_total}\n" \
    -X POST http://localhost:3000/api/v1/@apostrophecms/login/reset-request \
    -H "Content-Type: application/json" \
    -d '{"email": "admin"}'
done
# Expected: response times differ from 2.0s baseline (faster with local SMTP, slower with remote SMTP)

Step 3 — Statistical comparison: The two distributions will show a measurable divergence. With a local mail server, valid-user responses typically complete in <500ms. With a remote SMTP server, valid-user responses may take 3-5+ seconds. Either way, the timing is distinguishable from the fixed 2000ms invalid-user delay.

Impact

  • Account enumeration: An unauthenticated attacker can determine whether a given username or email address has an account in the Apostrophe instance.
  • Credential stuffing preparation: Confirmed valid accounts can be targeted with credential stuffing attacks using breached password databases.
  • Phishing targeting: Knowledge of valid accounts enables targeted phishing campaigns against confirmed users.
  • No rate limiting: The absence of throttling on the reset endpoint allows high-speed automated enumeration.
  • Mitigating factor: The passwordReset option defaults to false (index.js:62), so only instances that explicitly enable password reset are affected.

Recommended Fix

Normalize all code paths to a constant minimum duration, ensuring the response time does not leak whether a user was found:

async resetRequest(req) {
  const MIN_RESPONSE_TIME = 2000;
  const startTime = Date.now();
  const site = (req.headers.host || '').replace(/:\d+$/, '');
  const email = self.apos.launder.string(req.body.email);
  if (!email.length) {
    throw self.apos.error('invalid', req.t('apostrophe:loginResetEmailRequired'));
  }
  let user;
  try {
    user = await self.getPasswordResetUser(req.body.email);
  } catch (e) {
    self.apos.util.error(e);
  }
  if (!user) {
    self.apos.util.error(
      `Reset password request error - the user ${email} doesn\`t exist.`
    );
  } else if (!user.email) {
    self.apos.util.error(
      `Reset password request error - the user ${user.username} doesn\`t have an email.`
    );
  } else {
    const reset = self.apos.util.generateId();
    user.passwordReset = reset;
    user.passwordResetAt = new Date();
    await self.apos.user.update(req, user, { permissions: false });
    let port = (req.headers.host || '').split(':')[1];
    if (!port || [ '80', '443' ].includes(port)) {
      port = '';
    } else {
      port = `:${port}`;
    }
    const parsed = new URL(
      req.absoluteUrl,
      self.apos.baseUrl
        ? undefined
        : `${req.protocol}://${req.hostname}${port}`
    );
    parsed.pathname = self.login();
    parsed.search = '?';
    parsed.searchParams.append('reset', reset);
    parsed.searchParams.append('email', user.email);
    try {
      await self.email(req, 'passwordResetEmail', {
        user,
        url: parsed.toString(),
        site
      }, {
        to: user.email,
        subject: req.t('apostrophe:passwordResetRequest', { site })
      });
    } catch (err) {
      self.apos.util.error(`Error while sending email to ${user.email}`, err);
    }
  }
  // Pad all paths to a constant minimum duration
  const elapsed = Date.now() - startTime;
  if (elapsed < MIN_RESPONSE_TIME) {
    await Promise.delay(MIN_RESPONSE_TIME - elapsed);
  }
},

Additionally, consider applying rate limiting to the reset-request endpoint to prevent high-speed enumeration attempts.

Severity ?
3.7 (Low)
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "apostrophe"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.29.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-33877"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-208"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-16T20:42:11Z",
    "nvd_published_at": "2026-04-15T20:16:35Z",
    "severity": "LOW"
  },
  "details": "## Summary\n\nThe password reset endpoint (`/api/v1/@apostrophecms/login/reset-request`) exhibits a measurable timing side channel that allows unauthenticated attackers to enumerate valid usernames and email addresses. When a user is not found, the handler returns after a fixed 2-second artificial delay, but when a valid user is found, it performs database writes and SMTP operations with no equivalent delay normalization, producing a distinguishable timing profile.\n\n## Details\n\nThe `resetRequest` handler in `modules/@apostrophecms/login/index.js` attempts to obscure the user-not-found path with an artificial delay, but fails to normalize the timing of the user-found path:\n\n**User not found \u2014 fixed 2000ms delay** (`index.js:309-314`):\n```javascript\nif (!user) {\n  await wait();  // wait = (t = 2000) =\u003e Promise.delay(t)\n  self.apos.util.error(\n    `Reset password request error - the user ${email} doesn\\`t exist.`\n  );\n  return;\n}\n```\n\n**User found \u2014 variable-duration DB + SMTP operations, no artificial delay** (`index.js:323-355`):\n```javascript\nconst reset = self.apos.util.generateId();\nuser.passwordReset = reset;\nuser.passwordResetAt = new Date();\nawait self.apos.user.update(req, user, { permissions: false });\n// ... URL construction ...\nawait self.email(req, \u0027passwordResetEmail\u0027, {\n  user,\n  url: parsed.toString(),\n  site\n}, {\n  to: user.email,\n  subject: req.t(\u0027apostrophe:passwordResetRequest\u0027, { site })\n});\n```\n\nThe user-found path includes a MongoDB `update()` call and an SMTP `email()` send, which together produce response times that differ measurably from the fixed 2000ms delay. Depending on SMTP server latency, responses for valid users will either be noticeably faster (local/fast SMTP) or slower (remote SMTP) than the constant 2-second delay for invalid users.\n\nAdditionally, the `getPasswordResetUser` method (`index.js:664-666`) accepts both username and email via an `$or` query, enabling enumeration of both identifiers:\n```javascript\nconst criteriaOr = [\n  { username: email },\n  { email }\n];\n```\n\nThere is no rate limiting on the reset endpoint. The `checkLoginAttempts` throttle (`index.js:978`) is only applied to the login flow, allowing unlimited rapid probing of the reset endpoint.\n\n## PoC\n\n**Prerequisites:** An Apostrophe instance with `passwordReset: true` enabled in `@apostrophecms/login` configuration.\n\n**Step 1 \u2014 Baseline invalid user timing:**\n```bash\nfor i in $(seq 1 10); do\n  curl -s -o /dev/null -w \"%{time_total}\\n\" \\\n    -X POST http://localhost:3000/api/v1/@apostrophecms/login/reset-request \\\n    -H \"Content-Type: application/json\" \\\n    -d \u0027{\"email\": \"nonexistent-user-\u0027$i\u0027@example.com\"}\u0027\ndone\n# Expected: all responses cluster tightly around 2.0xx seconds\n```\n\n**Step 2 \u2014 Test known valid user:**\n```bash\nfor i in $(seq 1 10); do\n  curl -s -o /dev/null -w \"%{time_total}\\n\" \\\n    -X POST http://localhost:3000/api/v1/@apostrophecms/login/reset-request \\\n    -H \"Content-Type: application/json\" \\\n    -d \u0027{\"email\": \"admin\"}\u0027\ndone\n# Expected: response times differ from 2.0s baseline (faster with local SMTP, slower with remote SMTP)\n```\n\n**Step 3 \u2014 Statistical comparison:**\nThe two distributions will show a measurable divergence. With a local mail server, valid-user responses typically complete in \u003c500ms. With a remote SMTP server, valid-user responses may take 3-5+ seconds. Either way, the timing is distinguishable from the fixed 2000ms invalid-user delay.\n\n## Impact\n\n- **Account enumeration:** An unauthenticated attacker can determine whether a given username or email address has an account in the Apostrophe instance.\n- **Credential stuffing preparation:** Confirmed valid accounts can be targeted with credential stuffing attacks using breached password databases.\n- **Phishing targeting:** Knowledge of valid accounts enables targeted phishing campaigns against confirmed users.\n- **No rate limiting:** The absence of throttling on the reset endpoint allows high-speed automated enumeration.\n- **Mitigating factor:** The `passwordReset` option defaults to `false` (`index.js:62`), so only instances that explicitly enable password reset are affected.\n\n## Recommended Fix\n\nNormalize all code paths to a constant minimum duration, ensuring the response time does not leak whether a user was found:\n\n```javascript\nasync resetRequest(req) {\n  const MIN_RESPONSE_TIME = 2000;\n  const startTime = Date.now();\n  const site = (req.headers.host || \u0027\u0027).replace(/:\\d+$/, \u0027\u0027);\n  const email = self.apos.launder.string(req.body.email);\n  if (!email.length) {\n    throw self.apos.error(\u0027invalid\u0027, req.t(\u0027apostrophe:loginResetEmailRequired\u0027));\n  }\n  let user;\n  try {\n    user = await self.getPasswordResetUser(req.body.email);\n  } catch (e) {\n    self.apos.util.error(e);\n  }\n  if (!user) {\n    self.apos.util.error(\n      `Reset password request error - the user ${email} doesn\\`t exist.`\n    );\n  } else if (!user.email) {\n    self.apos.util.error(\n      `Reset password request error - the user ${user.username} doesn\\`t have an email.`\n    );\n  } else {\n    const reset = self.apos.util.generateId();\n    user.passwordReset = reset;\n    user.passwordResetAt = new Date();\n    await self.apos.user.update(req, user, { permissions: false });\n    let port = (req.headers.host || \u0027\u0027).split(\u0027:\u0027)[1];\n    if (!port || [ \u002780\u0027, \u0027443\u0027 ].includes(port)) {\n      port = \u0027\u0027;\n    } else {\n      port = `:${port}`;\n    }\n    const parsed = new URL(\n      req.absoluteUrl,\n      self.apos.baseUrl\n        ? undefined\n        : `${req.protocol}://${req.hostname}${port}`\n    );\n    parsed.pathname = self.login();\n    parsed.search = \u0027?\u0027;\n    parsed.searchParams.append(\u0027reset\u0027, reset);\n    parsed.searchParams.append(\u0027email\u0027, user.email);\n    try {\n      await self.email(req, \u0027passwordResetEmail\u0027, {\n        user,\n        url: parsed.toString(),\n        site\n      }, {\n        to: user.email,\n        subject: req.t(\u0027apostrophe:passwordResetRequest\u0027, { site })\n      });\n    } catch (err) {\n      self.apos.util.error(`Error while sending email to ${user.email}`, err);\n    }\n  }\n  // Pad all paths to a constant minimum duration\n  const elapsed = Date.now() - startTime;\n  if (elapsed \u003c MIN_RESPONSE_TIME) {\n    await Promise.delay(MIN_RESPONSE_TIME - elapsed);\n  }\n},\n```\n\nAdditionally, consider applying rate limiting to the `reset-request` endpoint to prevent high-speed enumeration attempts.",
  "id": "GHSA-mj7r-x3h3-7rmr",
  "modified": "2026-04-16T20:42:11Z",
  "published": "2026-04-16T20:42:11Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/apostrophecms/apostrophe/security/advisories/GHSA-mj7r-x3h3-7rmr"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33877"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apostrophecms/apostrophe/commit/e266cffd8c0d331a9b05c92bf11616556efcdc77"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apostrophecms/apostrophe"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "ApostropheCMS: User Enumeration via Timing Side Channel in Password Reset Endpoint"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.