Vulnerability Database
296,676
Total vulnerabilities in the database
CVE-2025-59432
Impact
A timing attack vulnerability exists in the SCRAM Java implementation. The issue arises because Arrays.equals was used to compare secret values such as client proofs and server signatures. Since Arrays.equals performs a short-circuit comparison, the execution time varies depending on how many leading bytes match. This behavior could allow an attacker to perform a timing side-channel attack and potentially infer sensitive authentication material. All users relying on SCRAM authentication are impacted.
Patches
This vulnerability has been patched by replacing Arrays.equals with MessageDigest.isEqual, which ensures constant-time comparison.
Users should upgrade to version 3.2 or later to mitigate this issue.
Workarounds
Because the attack requires high precision and repeated attempts, the risk is limited, but the only reliable mitigation is to upgrade to a patched release (version 3.2 or later).
References
| Software | From | Fixed in |
|---|---|---|
com.ongres.scram / scram-common
|
- | 3.2 |
Deep Security Visibility Without the Complexity
SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.
- No setup fees
- 5-min deployment
- Cancel anytime