js · nocodbHeads-up
NocoDB: Fixed timing-based email enumeration in sign-in endpoint
The unknown-user branch in auth.
What changed
The unknown-user branch in auth.service.ts now performs a bcrypt.compare against a fixed dummy hash to equalize sign-in response times for known and unknown email addresses.
Who it affects
All deployments of NocoDB where the sign-in endpoint is exposed to untrusted networks.
What to do today
Update to the latest patched version of NocoDB to mitigate the timing-based email enumeration vulnerability.
The trail
Collected→
Audited→
Written→
Published
Source
GitHub Advisory · nocodb