CVE-2025-59432: Timing Attack Vulnerability in SCRAM Authentication
(updated )
A timing attack vulnerability exists in the SCRAM Java implementation. The issue arises because Arrays.equals was used to compare secret values such as client proofs and server signatures. Since Arrays.equals performs a short-circuit comparison, the execution time varies depending on how many leading bytes match. This behavior could allow an attacker to perform a timing side-channel attack and potentially infer sensitive authentication material. All users relying on SCRAM authentication are impacted.
References
- docs.oracle.com/en/java/javase/25/docs/api/java.base/java/security/MessageDigest.html
- github.com/advisories/GHSA-3wfh-36rx-9537
- github.com/ongres/scram
- github.com/ongres/scram/commit/e0b0cf99f05406a0d26682c72fcb5728e95124b3
- github.com/ongres/scram/security/advisories/GHSA-3wfh-36rx-9537
- nvd.nist.gov/vuln/detail/CVE-2025-59432
Code Behaviors & Features
Detect and mitigate CVE-2025-59432 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →