Description
An Observable Timing Discrepancy in @perfood/couch-auth v0.26.0 allows attackers to access sensitive information via a timing side-channel.
Recommendation
No fix is available yet. Followings are affected versions:
- <= 0.26.0
References
Related Issues
- @perfood/couch-auth has a host header injection vulnerability - CVE-2025-70948
- @perfood/couch-auth may expose session tokens, passwords - CVE-2025-60794
- Padding Oracle Attack due to Observable Timing Discrepancy in jose - CVE-2021-29443
- Padding Oracle Attack due to Observable Timing Discrepancy in jose-browser-runtime - CVE-2021-29444
- Tags:
- npm
- @perfood/couch-auth
Anything's wrong? Let us know Last updated on March 06, 2026