CVE-2025-6386: LoLLMs timing attack enables

Q: Is CVE-2025-6386 actively exploited?

No confirmed active exploitation of CVE-2025-6386 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2025-6386?

1. PATCH: Update to commit f78437f or any subsequent release — the fix replaces the insecure == comparison with a constant-time comparison (hmac.compare_digest or secrets.compare_digest). 2. DETECT: Review web server access logs for high-volume authentication requests from single IPs with sub-millisecond timing variation patterns. 3. COMPENSATE (pre-patch): Implement rate limiting and IP-based throttling on the /auth endpoint to increase attacker request cost. Add artificial jitter (random delay) to authentication responses as a temporary mitigation. 4. AUDIT: Check access logs for anomalous authentication activity prior to patching — enumerate any accounts that may have been compromised via username enumeration.

Q: What systems are affected by CVE-2025-6386?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, AI orchestration platforms, self-hosted LLM deployments, local AI model serving.

Q: What is the CVSS score for CVE-2025-6386?

CVE-2025-6386 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.37%.

CISO Take

If your AI infrastructure includes parisneo/lollms, patch immediately to commit f78437f — this timing side-channel allows unauthenticated remote attackers to enumerate valid usernames and incrementally recover passwords without triggering lockouts. Internet-exposed lollms instances are directly at risk of full authentication bypass, granting adversaries access to your AI orchestration layer including all connected models and tools. No workaround exists other than patching or taking the service offline pending upgrade.

What is the risk?

High severity (CVSS 7.5) with low current exploitation probability (EPSS 0.00071). The vulnerability requires no authentication, no privileges, and no user interaction — lowering the exploitation barrier significantly. However, successful timing attacks require statistical analysis across hundreds to thousands of network requests, making opportunistic mass exploitation unlikely. Targeted attacks against known-exposed lollms deployments are the realistic threat. Risk is elevated for organizations where lollms is internet-facing or accessible from shared network segments.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
LoLLMs	pip	<= 11.0.0	No patch
81 Pushed 8d ago 33% patched ~1d to patch Full package profile →

Do you use LoLLMs? You're affected.

How severe is it?

CVSS 3.1

7.5 / 10

EPSS

0.4%

chance of exploitation in 30 days

Higher than 29% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Moderate

What is the attack surface?

AV Network

AC Low

PR None

UI None

S Unchanged

C High

I None

A None

What should I do?

4 steps

PATCH

Update to commit f78437f or any subsequent release — the fix replaces the insecure == comparison with a constant-time comparison (hmac.compare_digest or secrets.compare_digest).
DETECT

Review web server access logs for high-volume authentication requests from single IPs with sub-millisecond timing variation patterns.
COMPENSATE (pre-patch): Implement rate limiting and IP-based throttling on the /auth endpoint to increase attacker request cost. Add artificial jitter (random delay) to authentication responses as a temporary mitigation.
AUDIT

Check access logs for anomalous authentication activity prior to patching — enumerate any accounts that may have been compromised via username enumeration.

What does CISA's SSVC say?

Decision Track

Exploitation none

Automatable Yes

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Auth Bypass Data Extraction Framework Agent AML.T0006 - Active Scanning AML.T0012 - Valid Accounts AML.T0049 - Exploit Public-Facing Application AML.T0106 - Exploitation for Credential Access

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2 - AI system access control

NIST AI RMF

GOVERN 6.1 - Policies and procedures for AI risk management MANAGE 2.4 - Residual risks are managed

OWASP LLM Top 10

LLM06 - Excessive Agency

Frequently Asked Questions

What is CVE-2025-6386?

If your AI infrastructure includes parisneo/lollms, patch immediately to commit f78437f — this timing side-channel allows unauthenticated remote attackers to enumerate valid usernames and incrementally recover passwords without triggering lockouts. Internet-exposed lollms instances are directly at risk of full authentication bypass, granting adversaries access to your AI orchestration layer including all connected models and tools. No workaround exists other than patching or taking the service offline pending upgrade.

Is CVE-2025-6386 actively exploited?

No confirmed active exploitation of CVE-2025-6386 has been reported, but organizations should still patch proactively.

How to fix CVE-2025-6386?

1. PATCH: Update to commit f78437f or any subsequent release — the fix replaces the insecure == comparison with a constant-time comparison (hmac.compare_digest or secrets.compare_digest). 2. DETECT: Review web server access logs for high-volume authentication requests from single IPs with sub-millisecond timing variation patterns. 3. COMPENSATE (pre-patch): Implement rate limiting and IP-based throttling on the /auth endpoint to increase attacker request cost. Add artificial jitter (random delay) to authentication responses as a temporary mitigation. 4. AUDIT: Check access logs for anomalous authentication activity prior to patching — enumerate any accounts that may have been compromised via username enumeration.

What systems are affected by CVE-2025-6386?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, AI orchestration platforms, self-hosted LLM deployments, local AI model serving.

What is the CVSS score for CVE-2025-6386?

CVE-2025-6386 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.37%.

What is the AI security impact?

Affected AI Architectures

agent frameworksAI orchestration platformsself-hosted LLM deploymentslocal AI model serving

MITRE ATLAS Techniques

AML.T0006 Active Scanning

AML.T0012 Valid Accounts

AML.T0049 Exploit Public-Facing Application

AML.T0106 Exploitation for Credential Access

Compliance Controls Affected

EU AI Act: Art. 15

ISO 42001: A.6.2

NIST AI RMF: GOVERN 6.1, MANAGE 2.4

OWASP LLM Top 10: LLM06

What are the technical details?

Original Advisory

The parisneo/lollms repository is affected by a timing attack vulnerability in the `authenticate_user` function within the `lollms_authentication.py` file. This vulnerability allows attackers to enumerate valid usernames and guess passwords incrementally by analyzing response time differences. The affected version is the latest, and the issue is resolved in commit f78437f. The vulnerability arises from the use of Python's default string equality operator for password comparison, which compares characters sequentially and exits on the first mismatch, leading to variable response times based on the number of matching initial characters.

Exploitation Scenario

An attacker identifies an internet-exposed lollms instance (via Shodan or direct reconnaissance). Using a timing oracle script, they send thousands of login requests with a target username and single-character password candidates, measuring response latencies with microsecond precision. Characters that cause longer processing time reveal matching prefix bytes, enabling character-by-character password reconstruction. Username validity is confirmed by comparing response time distributions for existing vs. non-existing accounts. Once credentials are recovered, the attacker logs into lollms with full user privileges — gaining access to all connected LLMs, tools, files, and agent workflows configured by that user.

Weaknesses (CWE)

CWE-203 Observable Discrepancy Primary

CWE-203 — Observable Discrepancy: The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor.

[Architecture and Design] Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.
[Implementation] Ensure that error messages only contain minimal details that are useful to the intended audience and no one else. The messages need to strike the balance between being too cryptic (which can confuse users) or being too detailed (which may reveal more than intended). The messages should not reveal the methods that were used to determine the error. Attackers can use detailed information to refine or optimize their original attack, thereby increasing their chances of success. If errors must be captured in some detail, record them in log messages, but consider what could occur if the log messages can be viewed by attackers. Highly sensitive information such as passwords should never be saved to log files. Avoid inconsistent messaging that might accidentally tip off an attacker about internal state, such as whether a user account exists or not.

Source: MITRE CWE corpus.