{"id":"GHSA-53hj-r94p-8c8f","summary":"Kanidm has non-constant-time comparison of OAuth2 client_secret","details":"### Summary\n\nThe kanidmd OAuth2 token-exchange (`/oauth2/token`) and token-introspection (`/oauth2/token/introspect`) endpoints compare the supplied `client_secret` against the stored secret using Rust's `PartialEq` on `String`, which short-circuits on the first mismatching byte. This produces an observable timing discrepancy that varies with the length of the matching prefix.\n\n### Details\n\n- https://github.com/kanidm/kanidm/blob/master/server/lib/src/idm/oauth2.rs#L1135 — variable-time comparison in `check_oauth2_token_exchange`\n- https://cwe.mitre.org/data/definitions/208.html — CWE-208: Observable Timing Discrepancy\n\n### PoC\n\nStatic analysis only — no timing-recovery script was run because remote recovery of a 48-byte high-entropy secret over HTTPS is not practically demonstrable. The variable-time behaviour is established by inspection:\n\n```rust\n// server/lib/src/idm/oauth2.rs:1135  (check_oauth2_token_exchange)\nif authz_secret == &secret { … } else { return Err(Oauth2Error::AuthenticationRequired); }\n```\n\n`String: PartialEq` delegates to `\u003c[u8] as PartialEq\u003e::eq`, which checks length equality then iterates byte-by-byte and returns on the first difference.\n\n### Impact\n\nAn unauthenticated network attacker who can reach the OAuth2 endpoints can submit arbitrary `client_id`/`client_secret` pairs and observe response latency. In principle the early-exit comparison leaks the position of the first mismatching byte, providing a timing oracle toward incremental recovery of a confidential client's secret. In practice the stored secret is a server-generated 48-character high-entropy string, the comparison runs inside an async tokio handler behind TLS, and network jitter is orders of magnitude larger than a single byte-compare — so remote recovery is not considered realistic with current techniques. This is a hardening issue rather than a practically exploitable vulnerability.\n\n### Affected versions\n\nAll published `kanidmd_lib` releases; the comparison is still variable-time on `master` at 1.10.0-dev","modified":"2026-05-06T23:47:49.387926Z","published":"2026-05-06T23:37:56Z","database_specific":{"nvd_published_at":null,"severity":"LOW","github_reviewed":true,"cwe_ids":["CWE-208"],"github_reviewed_at":"2026-05-06T23:37:56Z"},"references":[{"type":"WEB","url":"https://github.com/kanidm/kanidm/security/advisories/GHSA-53hj-r94p-8c8f"},{"type":"PACKAGE","url":"https://github.com/kanidm/kanidm"}],"affected":[{"package":{"name":"kanidm","ecosystem":"crates.io","purl":"pkg:cargo/kanidm"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.9.3"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-53hj-r94p-8c8f/GHSA-53hj-r94p-8c8f.json","last_known_affected_version_range":"\u003c= 1.9.2"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"}]}