CVE-2025-70949
Published: 05 March 2026
Summary
CVE-2025-70949 is a high-severity Observable Timing Discrepancy (CWE-208) vulnerability in Npmjs (inferred from references). Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Password Guessing (T1110.001); ranked at the 3.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SC-31 (Covert Channel Analysis).
Deeper analysis
CVE-2025-70949 is an observable timing discrepancy vulnerability, classified under CWE-208 (Observable Timing Discrepancy), affecting the @perfood/couch-auth npm package at version 0.26.0. This flaw enables attackers to access sensitive information through a timing side-channel attack. The vulnerability received a CVSS v3.1 base score of 7.5, reflecting high confidentiality impact with network accessibility, low attack complexity, no required privileges or user interaction, and unchanged scope.
Remote attackers can exploit this vulnerability over the network without authentication or user involvement. By measuring response time differences in the authentication process, attackers can infer sensitive data, such as credentials or other protected information, potentially leading to unauthorized disclosure.
Mitigation guidance and further details are available in advisories linked to the CVE, including a GitHub Gist at https://gist.github.com/0xHunterr/38aab644874ca9f4646524c5b01cfe5e, the package repository at https://github.com/perfood/couch-auth, and the npm page at https://www.npmjs.com/package/@perfood/couch-auth. Security practitioners should review these resources for patching instructions or workarounds specific to the affected version.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-208328
Vulnerability details
An observable timing discrepancy in @perfood/couch-auth v0.26.0 allows attackers to access sensitive information via a timing side-channel.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Timing side-channel in authentication enables efficient password guessing by leaking credential information via response time differences.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely identification, reporting, and remediation of the specific timing side-channel flaw in @perfood/couch-auth v0.26.0, preventing unauthorized disclosure of sensitive information.
Mandates covert channel analysis, including timing channels, to identify and mitigate observable timing discrepancies in the authentication process exploited by this CVE.
Enables periodic and vulnerability-specific scanning to detect the presence of CVE-2025-70949 in systems using the vulnerable @perfood/couch-auth package.