Cyber Resilience

CVE-2025-70949

High

Published: 05 March 2026

Published
05 March 2026
Modified
27 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0002 3.6th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-70949 is a high-severity Observable Timing Discrepancy (CWE-208) vulnerability in Npmjs (inferred from references). Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Password Guessing (T1110.001); ranked at the 3.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SC-31 (Covert Channel Analysis).

Deeper analysis

CVE-2025-70949 is an observable timing discrepancy vulnerability, classified under CWE-208 (Observable Timing Discrepancy), affecting the @perfood/couch-auth npm package at version 0.26.0. This flaw enables attackers to access sensitive information through a timing side-channel attack. The vulnerability received a CVSS v3.1 base score of 7.5, reflecting high confidentiality impact with network accessibility, low attack complexity, no required privileges or user interaction, and unchanged scope.

Remote attackers can exploit this vulnerability over the network without authentication or user involvement. By measuring response time differences in the authentication process, attackers can infer sensitive data, such as credentials or other protected information, potentially leading to unauthorized disclosure.

Mitigation guidance and further details are available in advisories linked to the CVE, including a GitHub Gist at https://gist.github.com/0xHunterr/38aab644874ca9f4646524c5b01cfe5e, the package repository at https://github.com/perfood/couch-auth, and the npm page at https://www.npmjs.com/package/@perfood/couch-auth. Security practitioners should review these resources for patching instructions or workarounds specific to the affected version.

EU & UK References

Vulnerability details

An observable timing discrepancy in @perfood/couch-auth v0.26.0 allows attackers to access sensitive information via a timing side-channel.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1110.001 Password Guessing Credential Access
Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts.
Why these techniques?

Timing side-channel in authentication enables efficient password guessing by leaking credential information via response time differences.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-47373Shared CWE-208
CVE-2026-47784Shared CWE-208
CVE-2026-5086Shared CWE-208
CVE-2026-47783Shared CWE-208
CVE-2025-48630Shared CWE-208
CVE-2026-28464Shared CWE-208
CVE-2026-41588Shared CWE-208
CVE-2024-42512Shared CWE-208
CVE-2025-68621Shared CWE-208
CVE-2026-40972Shared CWE-208

Affected Assets

Npmjs
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely identification, reporting, and remediation of the specific timing side-channel flaw in @perfood/couch-auth v0.26.0, preventing unauthorized disclosure of sensitive information.

prevent

Mandates covert channel analysis, including timing channels, to identify and mitigate observable timing discrepancies in the authentication process exploited by this CVE.

detect

Enables periodic and vulnerability-specific scanning to detect the presence of CVE-2025-70949 in systems using the vulnerable @perfood/couch-auth package.

References