Nixpkgs security tracker
Untriaged
Permalink
CVE-2025-68621
7.4 HIGH
- CVSS version: 3.1
- Attack vector (AV): NETWORK
- Attack complexity (AC): HIGH
- Privileges required (PR): NONE
- User interaction (UI): NONE
- Scope (S): UNCHANGED
- Confidentiality impact (C): HIGH
- Integrity impact (I): HIGH
- Availability impact (A): NONE
Activity log
- Created suggestion
Trilium Notes has a Timing Attack Vulnerability in /api/login/sync
Trilium Notes is an open-source, cross-platform hierarchical note taking application with focus on building large personal knowledge bases. Prior to 0.101.0, a critical timing attack vulnerability in Trilium's sync authentication endpoint allows unauthenticated remote attackers to recover HMAC authentication hashes byte-by-byte through statistical timing analysis. This enables complete authentication bypass without password knowledge, granting full read/write access to victim's knowledge base. This vulnerability is fixed in 0.101.0.
References
-
https://github.com/TriliumNext/Trilium/security/advisories/GHSA-hxf6-58cx-qq3x x_refsource_CONFIRM
-
https://github.com/TriliumNext/Trilium/pull/8129 x_refsource_MISC
Affected products
Trilium
- ==< 0.101.0
Matching in nixpkgs
pkgs.trilium-server
Hierarchical note taking application with focus on building large personal knowledge bases
pkgs.trilium-desktop
Hierarchical note taking application with focus on building large personal knowledge bases
-
nixos-25.11 0.99.5
Package maintainers
-
@FliegendeWurst Arne Keller <arne.keller@posteo.de>
-
@eliandoran Elian Doran <contact@eliandoran.me>