CVE-2024-47057: Mautic allows user name enumeration due to response time difference on password reset form

May 28, 2025

This advisory addresses a security vulnerability in Mautic related to the “Forget your password” functionality. This vulnerability could be exploited by unauthenticated users to enumerate valid usernames.

User Enumeration via Timing Attack: A user enumeration vulnerability exists in the “Forget your password” functionality. Differences in response times for existing and non-existing users, combined with a lack of request limiting, allow an attacker to determine the existence of usernames through a timing-based attack.

References

github.com/advisories/GHSA-424x-cxvh-wq9p
github.com/mautic/mautic
github.com/mautic/mautic/security/advisories/GHSA-424x-cxvh-wq9p
nvd.nist.gov/vuln/detail/CVE-2024-47057

Code Behaviors & Features

Detect and mitigate CVE-2024-47057 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →