{"id":"CVE-2020-25200","details":"Pritunl 1.29.2145.25 allows attackers to enumerate valid VPN usernames via a series of /auth/session login attempts. Initially, the server will return error 401. However, if the username is valid, then after 20 login attempts, the server will start responding with error 400. Invalid usernames will receive error 401 indefinitely. Note: This has been disputed by the vendor as not a vulnerability. They argue that this is an intended design","modified":"2026-03-14T10:06:55.809391Z","published":"2020-10-01T18:15:12.577Z","references":[{"type":"ADVISORY","url":"https://pritunl.com"},{"type":"ADVISORY","url":"https://pritunl.com/security"},{"type":"EVIDENCE","url":"https://github.com/lukaszstu/pritunl/blob/master/CVE-2020-25200"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/pritunl/pritunl","events":[{"introduced":"0"},{"last_affected":"8abc0f32a6f00c756117d0c03386572356751388"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"1.29.2145.25"}]}}],"versions":["0.10.1","0.10.10","0.10.11","0.10.12","0.10.2","0.10.3","0.10.4","0.10.5","0.10.6","0.10.7","0.10.8","0.10.9","1.0.449.92beta1","1.0.450.77snapshot1","1.0.450.99snapshot2","1.0.451.16snapshot3","1.0.453.81snapshot4","1.0.454.86snapshot5","1.0.457.10snapshot6","1.0.459.12snapshot7","1.0.459.72beta2","1.0.460.38","1.0.460.41","1.0.460.43","1.0.460.81","1.0.462.12","1.0.462.77","1.0.464.77","1.0.474.91","1.0.475.0","1.0.477.0","1.0.481.92","1.0.482.93","1.0.488.77","1.0.513.37","1.0.544.74","1.0.586.29","1.0.601.2","1.0.601.67","1.10.806.90","1.10.807.55","1.10.807.63","1.10.807.67","1.10.808.29","1.10.808.53","1.11.811.26snapshot","1.11.811.59","1.11.813.26","1.11.820.96snapshot","1.12.825.25snapshot","1.12.825.29snapshot","1.12.825.62","1.12.825.71","1.12.825.77","1.12.825.85","1.12.826.5","1.12.826.92snapshot","1.12.827.16","1.12.827.72","1.12.827.85","1.12.828.76","1.13.831.74snapshot","1.13.831.99snapshot","1.13.832.99","1.13.836.1","1.14.841.12snapshot","1.14.842.11snapshot","1.14.842.79","1.14.845.84snapshot","1.14.845.99","1.15.855.27snapshot","1.15.855.83snapshot","1.15.856.74snapshot","1.15.856.82snapshot","1.15.856.94","1.15.857.70","1.15.862.92","1.16.866.36snapshot","1.16.867.0","1.16.869.90","1.16.871.82","1.16.872.77","1.16.879.94","1.16.880.20snapshot","1.16.880.85snapshot","1.16.881.14","1.16.883.98snapshot","1.16.884.17","1.17.889.40snapshot","1.17.890.29snapshot","1.17.891.6snapshot","1.17.892.18snapshot","1.17.893.1snapshot","1.17.894.82snapshot","1.17.895.42","1.18.900.41snapshot","1.18.901.88snapshot","1.18.902.26","1.18.902.99","1.18.903.84","1.18.906.35","1.18.908.31","1.19.912.28snapshot","1.19.912.37snapshot","1.19.912.44","1.19.913.28","1.2.604.38","1.20.914.33snapshot","1.20.917.37","1.20.917.3snapshot","1.20.922.84snapshot","1.20.922.99","1.20.923.9","1.21.924.38","1.21.926.53","1.21.928.27","1.21.931.43snapshot","1.21.937.88snapshot","1.21.938.10","1.21.938.4","1.21.938.43","1.21.938.80","1.21.939.33","1.21.940.40","1.21.940.94","1.21.941.19snapshot","1.21.941.39","1.21.941.90","1.21.942.24","1.21.945.14","1.21.946.24","1.21.946.40","1.21.947.73","1.21.953.33snapshot","1.21.953.42","1.21.954.48","1.21.967.90","1.22.975.2snapshot","1.22.977.25","1.22.977.55","1.22.977.72","1.22.977.9","1.22.980.81snapshot","1.22.980.85","1.22.984.30","1.22.986.23","1.22.986.28","1.23.1002.28","1.23.1005.91","1.23.986.96snapshot","1.23.987.18","1.23.992.76","1.23.993.6","1.23.996.29","1.23.997.12","1.24.1011.37snapshot","1.24.1017.92snapshot","1.24.1019.25","1.24.1019.41","1.24.1020.94","1.24.1023.2","1.24.1023.67","1.24.1023.75","1.24.1025.13","1.24.1025.78","1.24.1029.3snapshot","1.25.1030.26snapshot","1.25.1033.22snapshot","1.25.1034.83snapshot","1.25.1036.25","1.25.1037.17","1.25.1039.3","1.25.1039.56","1.25.1041.8","1.25.1042.81","1.25.1047.94snapshot","1.25.1049.10snapshot","1.25.1050.42","1.25.1054.4","1.25.1057.22","1.25.1057.45","1.25.1060.38","1.25.1064.86","1.25.1066.97","1.25.1071.11","1.25.1074.0snapshot","1.25.1075.19","1.25.1083.14snapshot","1.25.1084.95","1.25.1092.18","1.25.1092.73","1.25.1093.62","1.25.1103.15","1.25.1103.21","1.25.1105.67","1.25.1108.92","1.25.1109.79","1.25.1111.71","1.25.1116.74","1.25.1119.59","1.25.1120.61","1.25.1122.21","1.25.1122.55","1.25.1126.38","1.25.1133.28","1.25.1134.24","1.25.1141.65","1.25.1148.96","1.25.1158.92","1.25.1164.91","1.25.1173.81","1.25.1174.5","1.25.1175.88","1.25.1176.91","1.25.1176.93","1.25.1177.82","1.25.1177.86","1.25.1180.33","1.25.1182.95","1.26.1187.26","1.26.1188.41","1.26.1208.95","1.26.1209.89","1.26.1211.3snapshot","1.26.1212.25snapshot","1.26.1213.2snapshot","1.26.1215.39","1.26.1216.43snapshot","1.26.1217.86","1.26.1218.96","1.26.1220.48","1.26.1221.43","1.26.1221.83","1.26.1221.87","1.26.1225.85","1.26.1227.2","1.26.1227.85","1.26.1231.99","1.27.1257.20snapshot","1.27.1258.26snapshot","1.27.1258.40snapshot","1.27.1259.32","1.27.1259.5snapshot","1.27.1259.77","1.27.1265.38","1.27.1266.22","1.27.1268.95","1.27.1272.94","1.27.1280.78snapshot","1.27.1282.3snapshot","1.27.1282.77","1.27.1307.25","1.27.1308.92","1.27.1314.93","1.28.1350.6snapshot","1.28.1351.42snapshot","1.28.1352.43snapshot","1.28.1353.25snapshot","1.28.1354.89snapshot","1.28.1355.40snapshot","1.28.1356.19","1.28.1356.41","1.28.1356.45","1.28.1357.25","1.28.1357.34","1.28.1357.38","1.28.1358.27snapshot","1.28.1358.35","1.28.1364.80","1.28.1366.98","1.28.1369.94","1.28.1372.23","1.28.1372.97","1.28.1373.27","1.28.1377.74","1.28.1379.82","1.28.1415.87","1.28.1426.0","1.28.1438.31","1.28.1442.28","1.28.1445.85","1.28.1460.76","1.28.1461.29","1.28.1462.0","1.28.1463.29","1.28.1463.34","1.28.1463.93","1.28.1465.32","1.28.1468.86","1.28.1472.86","1.28.1475.11","1.28.1475.35","1.28.1476.96","1.28.1485.27","1.28.1487.93","1.28.1515.73","1.28.1526.18","1.28.1531.19","1.28.1541.26","1.28.1543.43","1.28.1545.95","1.28.1548.86","1.28.1575.85","1.28.1578.26","1.28.1583.22","1.28.1583.4","1.28.1583.74","1.29.1596.36","1.29.1609.88","1.29.1613.84","1.29.1614.10","1.29.1618.85","1.29.1624.82","1.29.1625.53","1.29.1628.17","1.29.1630.26","1.29.1630.29","1.29.1630.34","1.29.1630.5","1.29.1631.22","1.29.1631.29","1.29.1633.23","1.29.1635.72","1.29.1638.92","1.29.1640.83","1.29.1651.76","1.29.1657.94","1.29.1663.38","1.29.1666.4","1.29.1666.76","1.29.1669.3","1.29.1670.66","1.29.1675.99","1.29.1680.74","1.29.1695.84","1.29.1705.7","1.29.1721.99","1.29.1731.20","1.29.1731.96","1.29.1758.63","1.29.1765.91","1.29.1787.23","1.29.1788.11","1.29.1789.87","1.29.1804.86","1.29.1827.6","1.29.1887.37","1.29.1887.80","1.29.1890.32","1.29.1891.28","1.29.1902.39","1.29.1914.98","1.29.1917.25","1.29.1919.29","1.29.1923.80","1.29.1924.6","1.29.1925.81","1.29.1926.93","1.29.1929.33","1.29.1947.29","1.29.1952.27","1.29.1958.76","1.29.1979.98","1.29.1990.10","1.29.1994.1","1.29.1999.88","1.29.2010.18","1.29.2026.90","1.29.2051.18","1.29.2145.25","1.3.613.97beta1","1.3.614.40","1.3.627.6","1.3.651.28","1.3.662.15","1.4.711.13snapshot","1.4.719.92snapshot","1.4.720.67snapshot","1.4.722.21snapshot","1.4.722.95","1.4.726.73","1.4.728.46","1.4.729.19","1.4.730.30","1.4.730.81","1.4.733.12","1.5.735.17snapshot","1.5.736.10snapshot","1.5.736.64snapshot","1.5.736.97snapshot","1.5.737.48snapshot","1.5.737.70snapshot","1.5.737.82","1.5.737.89","1.5.742.91snapshot","1.5.743.11","1.6.745.48snapshot","1.6.746.87snapshot","1.6.747.62","1.6.749.17","1.6.751.72","1.6.752.82","1.6.755.70","1.6.757.9","1.7.770.34snapshot","1.7.770.40snapshot","1.7.774.46","1.8.775.40snapshot","1.8.777.38snapshot","1.8.778.54","1.8.783.26","1.8.783.3snapshot","1.8.783.8","1.8.785.65","1.8.787.62","1.9.788.74snapshot","1.9.789.27snapshot","1.9.789.46","1.9.790.54","1.9.791.92snapshot","1.9.792.17","1.9.792.33","1.9.792.39","1.9.792.46snapshot","1.9.793.2","1.9.793.22","1.9.798.13","1.9.798.90","1.9.800.2","1.9.802.84snapshot","1.9.803.37","1.9.804.68","1.9.804.88","1.9.805.7"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-25200.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}]}