Cyber Resilience

CVE-2024-25189

CriticalPublic PoC

Published: 08 February 2024

Published
08 February 2024
Modified
18 November 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0011 28.7th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-25189 is a critical-severity Observable Discrepancy (CWE-203) vulnerability in Debian Debian Linux. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Brute Force (T1110); ranked at the 28.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

EU & UK References

Vulnerability details

libjwt 1.15.3 uses strcmp (which is not constant time) to verify authentication, which makes it easier to bypass authentication via a timing side channel.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1110 Brute Force Credential Access
Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained.
T1606 Forge Web Credentials Credential Access
Adversaries may forge credential materials that can be used to gain access to web applications or Internet services.
Why these techniques?

The non-constant time strcmp in libjwt's authentication verification creates a timing side-channel oracle, enabling efficient brute force guessing of JWT tokens (T1110) and forging of web authentication credentials (T1606).

Affected Assets

debian
debian linux
10.0
libjwt
libjwt
1.15.3

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-203

Misdirection can normalize or falsify responses to eliminate observable discrepancies that aid reconnaissance.

addresses: CWE-203

Observable discrepancies in system behavior can be modulated to create covert storage or timing channels; the required analysis detects and constrains such avenues.

addresses: CWE-203

Prevents attackers from using observable differences in error responses to infer internal system details or state.

References