GHSA-QHP6-635J-X7R2

Vulnerability from github – Published: 2026-02-20 18:25 – Updated: 2026-02-23 22:28
VLAI?
Summary
Static Web Server affected by timing-based username enumeration in Basic Authentication due to early response on invalid usernames
Details

Summary

A Timing-based username enumeration in Basic Authentication vulnerability due to early response on invalid usernames could allow attackers to identify valid users and focus their efforts on targeted brute-force or credential-stuffing attacks.

Details

SWS validates the provided username before performing any password verification. - Invalid Username: The server returns a 401 Unauthorized response immediately. - Valid Username: The server proceeds to verify the password (e.g., using bcrypt), which introduces a different execution path and measurable timing discrepancy.

This allows an attacker to distinguish between existing and non-existing accounts by analyzing response times.

PoC

The following statistical results were obtained by measuring the mean response time over 100 iterations using a custom Rust script:

User Type Average Response Time
Invalid User 0.409861 ms
Valid User 0.250925 ms
Difference ~0.158936 ms

While the valid user responded faster in this specific test environment, the statistically significant gap confirms that the authentication logic does not execute in constant time.

Impact

Users using the SWS' Basic Authentication feature are primarily impacted.

Severity ?
5.3 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "static-web-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.1.0"
            },
            {
              "fixed": "2.41.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-27480"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-204"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-20T18:25:27Z",
    "nvd_published_at": "2026-02-21T10:16:12Z",
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nA Timing-based username enumeration in Basic Authentication vulnerability due to early response on invalid usernames could allow attackers to identify valid users and focus their efforts on targeted brute-force or credential-stuffing attacks.\n\n## Details\n\nSWS validates the provided username before performing any password verification.\n- **Invalid Username:** The server returns a `401 Unauthorized` response immediately.\n- **Valid Username:** The server proceeds to verify the password (e.g., using `bcrypt`), which introduces a different execution path and measurable timing discrepancy.\n\nThis allows an attacker to distinguish between existing and non-existing accounts by analyzing response times.\n\n## PoC\n\nThe following statistical results were obtained by measuring the mean response time over 100 iterations using a custom Rust script:\n\n| User Type | Average Response Time |\n| :--- | :--- |\n| **Invalid User** | 0.409861 ms |\n| **Valid User** | 0.250925 ms |\n| **Difference** | **~0.158936 ms** |\n\nWhile the valid user responded faster in this specific test environment, the statistically significant gap confirms that the authentication logic does not execute in constant time.\n\n## Impact\n\nUsers using the SWS\u0027 Basic Authentication feature are primarily impacted.",
  "id": "GHSA-qhp6-635j-x7r2",
  "modified": "2026-02-23T22:28:57Z",
  "published": "2026-02-20T18:25:27Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/static-web-server/static-web-server/security/advisories/GHSA-qhp6-635j-x7r2"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27480"
    },
    {
      "type": "WEB",
      "url": "https://github.com/static-web-server/static-web-server/commit/7bf0fd425eb10dac9bf9ef5febce12c4dd039ce1"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/static-web-server/static-web-server"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Static Web Server affected by timing-based username enumeration in Basic Authentication due to early response on invalid usernames"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.