CVE-2025-9824: Mautic Vulnerable to User Enumeration via Response Timing
The attacker can validate if a user exists by checking the time login returns. This timing difference can be used to enumerate valid usernames, after which an attacker could attempt brute force attacks.
References
- github.com/advisories/GHSA-3ggv-qwcp-j6xg
- github.com/mautic/mautic
- github.com/mautic/mautic/commit/6bc4f5f1aabb13df12714ad0ea9fc281cbb867c6
- github.com/mautic/mautic/commit/b4264c717ce31fbafafcefc04b02ecb9fb911e62
- github.com/mautic/mautic/security/advisories/GHSA-3ggv-qwcp-j6xg
- nvd.nist.gov/vuln/detail/CVE-2025-9824
Code Behaviors & Features
Detect and mitigate CVE-2025-9824 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →