CVE-2025-68621

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-68621

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-68621.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-68621

Aliases

GHSA-hxf6-58cx-qq3x

Published

2026-02-06T21:21:19.308Z

Modified

2026-04-10T05:35:08.624674Z

Severity

7.4 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator

Summary

Trilium Notes has a Timing Attack Vulnerability in /api/login/sync

Details

Trilium Notes is an open-source, cross-platform hierarchical note taking application with focus on building large personal knowledge bases. Prior to 0.101.0, a critical timing attack vulnerability in Trilium's sync authentication endpoint allows unauthenticated remote attackers to recover HMAC authentication hashes byte-by-byte through statistical timing analysis. This enables complete authentication bypass without password knowledge, granting full read/write access to victim's knowledge base. This vulnerability is fixed in 0.101.0.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/68xxx/CVE-2025-68621.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-208"
    ]
}

References

Affected packages

Git / github.com/triliumnext/trilium

Affected ranges

Type: GIT
Repo: https://github.com/triliumnext/trilium
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

2d486c9934925296d39d3fc4046e77f750e2c146

Affected versions

0.*

0.41.3

v0.*

v0.0.10

v0.0.11

v0.0.9

v0.1.0

v0.1.1

v0.1.2

v0.10.0-beta

v0.10.1-beta

v0.10.2-beta

v0.11.0-beta

v0.11.1

v0.13.0-beta

v0.14.0

v0.14.1

v0.15.0

v0.16.0

v0.17.0

v0.18.0

v0.19.0

v0.19.1

v0.2.0

v0.2.1

v0.2.2

v0.20.0

v0.20.1

v0.20.2

v0.21.0

v0.22.0

v0.22.1

v0.23.0

v0.24.0-beta

v0.24.1-beta

v0.24.2-beta

v0.24.3-beta

v0.24.4-beta

v0.24.5

v0.25.0-beta

v0.25.1-beta

v0.26.0-beta

v0.26.1

v0.27.0-beta

v0.27.1-beta

v0.27.2-beta

v0.27.3

v0.27.4

v0.28.0-beta

v0.28.1-beta

v0.28.2

v0.28.3

v0.29.0-beta

v0.29.1

v0.3.0

v0.3.1

v0.3.2

v0.30.0-beta

v0.30.1-beta

v0.30.2-beta

v0.30.3-beta

v0.31.0-beta

v0.31.1-beta

v0.31.2-beta

v0.31.3

v0.32.0-beta

v0.32.1-beta

v0.32.2-beta

v0.32.3

v0.33.0-beta

v0.33.1-beta

v0.33.2-beta

v0.33.3

v0.34.0-beta

v0.34.1

v0.35.0-beta

v0.35.1

v0.36.0-beta

v0.36.1-beta

v0.37.0-beta

v0.37.1-beta

v0.37.2

v0.38.0-beta

v0.38.1-beta

v0.38.2

v0.39.0-beta

v0.39.1-beta

v0.39.2-beta

v0.39.3

v0.4.0-beta

v0.4.1

v0.40.0-beta

v0.41.0-beta

v0.41.1-beta

v0.41.2-beta

v0.41.3-beta

v0.41.4-beta

v0.41.5

v0.41.6

v0.42.0-beta

v0.42.1

v0.44.0-beta

v0.44.1-beta

v0.44.2-beta

v0.44.3-beta

v0.44.4

v0.46.0-beta

v0.46.1-beta

v0.46.2-beta

v0.46.3-beta

v0.47.0-beta

v0.48.0-beta

v0.48.1-beta

v0.48.2

v0.48.3

v0.48.4

v0.48.5

v0.48.6

v0.48.6-docker

v0.48.6.1

v0.49.0-beta

v0.49.1-beta

v0.49.2-beta

v0.49.3

v0.49.4

v0.5.0-beta

v0.5.1-beta

v0.5.2-beta

v0.5.3-beta

v0.5.4-beta

v0.5.5-beta

v0.50.0-beta

v0.50.1

v0.51.0-beta

v0.51.1-beta

v0.51.2

v0.52.0-beta

v0.52.1-beta

v0.52.2

v0.53.0-beta

v0.53.1-beta

v0.53.2

v0.54.0-beta

v0.54.1-beta

v0.55.0-beta

v0.55.1

v0.56.0-beta

v0.56.1

v0.57.0-beta

v0.57.1-beta

v0.57.2

v0.57.3

v0.58.0-beta

v0.59.0-beta

v0.59.1

v0.6.0-beta

v0.6.1

v0.61.0-beta

v0.61.1-beta

v0.61.2-beta

v0.61.3-beta

v0.61.4-beta

v0.62.0-beta

v0.62.1-beta

v0.62.2

v0.63.6

v0.7.0-beta

v0.8.0-beta

v0.8.1

v0.96.0

v0.97.0

v0.97.2

v0.98.0

v0.98.1

v0.99.0

v0.99.2

v0.99.4

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-68621.json"