Cyber Posture

CVE-2025-70949

High

Published: 05 March 2026

Published
05 March 2026
Modified
27 April 2026
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0001 3.1th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-70949 is a high-severity Observable Timing Discrepancy (CWE-208) vulnerability in Npmjs (inferred from references). Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Password Guessing (T1110.001); ranked at the 3.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense at a Glance

What attackers do: exploitation maps to Password Guessing (T1110.001).
Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

SC-30 Concealment and Misdirection
addresses: CWE-208

Timing randomization or delays can mask true operation timing and mislead timing-based attacks.

SC-31 Covert Channel Analysis
addresses: CWE-208

Observable timing discrepancies are a primary mechanism for constructing covert timing channels; analysis identifies and bounds them, limiting exploitation.

MITRE ATT&CK Enterprise TechniquesAI

T1110.001 Password Guessing Credential Access
Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts.
attack.mitre.org →
Why these techniques?

Timing side-channel in authentication enables efficient password guessing by leaking credential information via response time differences.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

An observable timing discrepancy in @perfood/couch-auth v0.26.0 allows attackers to access sensitive information via a timing side-channel.

Deeper analysisAI

CVE-2025-70949 is an observable timing discrepancy vulnerability, classified under CWE-208 (Observable Timing Discrepancy), affecting the @perfood/couch-auth npm package at version 0.26.0. This flaw enables attackers to access sensitive information through a timing side-channel attack. The vulnerability received a CVSS v3.1 base score of 7.5, reflecting high confidentiality impact with network accessibility, low attack complexity, no required privileges or user interaction, and unchanged scope.

Remote attackers can exploit this vulnerability over the network without authentication or user involvement. By measuring response time differences in the authentication process, attackers can infer sensitive data, such as credentials or other protected information, potentially leading to unauthorized disclosure.

Mitigation guidance and further details are available in advisories linked to the CVE, including a GitHub Gist at https://gist.github.com/0xHunterr/38aab644874ca9f4646524c5b01cfe5e, the package repository at https://github.com/perfood/couch-auth, and the npm page at https://www.npmjs.com/package/@perfood/couch-auth. Security practitioners should review these resources for patching instructions or workarounds specific to the affected version.

Details

CWE(s)
CWE-208

Affected Products

Npmjs
inferred from references and description; NVD did not file a CPE for this CVE

CVEs Like This One

CVE-2026-5086Shared CWE-208
CVE-2026-28464Shared CWE-208
CVE-2025-68621Shared CWE-208
CVE-2026-41588Shared CWE-208
CVE-2025-48630Shared CWE-208
CVE-2026-40972Shared CWE-208
CVE-2024-42512Shared CWE-208
CVE-2026-23519Shared CWE-208
CVE-2024-13939Shared CWE-208

References