CVE-2025-68621

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-68621

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-68621.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-68621

Aliases

GHSA-hxf6-58cx-qq3x

Published

2026-02-06T21:21:19.308Z

Modified

2026-02-07T02:56:28.137570Z

Severity

7.4 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator

Summary

Trilium Notes has a Timing Attack Vulnerability in /api/login/sync

Details

Trilium Notes is an open-source, cross-platform hierarchical note taking application with focus on building large personal knowledge bases. Prior to 0.101.0, a critical timing attack vulnerability in Trilium's sync authentication endpoint allows unauthenticated remote attackers to recover HMAC authentication hashes byte-by-byte through statistical timing analysis. This enables complete authentication bypass without password knowledge, granting full read/write access to victim's knowledge base. This vulnerability is fixed in 0.101.0.

Database specific

{
    "cwe_ids": [
        "CWE-208"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/68xxx/CVE-2025-68621.json"
}

References

Affected packages

Git / github.com/triliumnext/trilium

Affected ranges

Type

GIT

Repo

https://github.com/triliumnext/trilium

Events

Introduced

Fixed

2d486c9934925296d39d3fc4046e77f750e2c146

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "0.101.0"
        }
    ]
}

Affected versions

0.*

0.41.3

Other

nightly

v0.*

v0.0.10

v0.0.11

v0.0.9

v0.1.0

v0.1.1

v0.1.2

v0.10.0-beta

v0.10.1-beta

v0.10.2-beta

v0.100.0

v0.11.0-beta

v0.11.1

v0.12.0

v0.13.0-beta

v0.14.0

v0.14.1

v0.15.0

v0.16.0

v0.17.0

v0.18.0

v0.19.0

v0.19.1

v0.2.0

v0.2.1

v0.2.2

v0.20.0

v0.20.1

v0.20.2

v0.21.0

v0.22.0

v0.22.1

v0.23.0

v0.23.1

v0.24.0-beta

v0.24.1-beta

v0.24.2-beta

v0.24.3-beta

v0.24.4-beta

v0.24.5

v0.25.0-beta

v0.25.1-beta

v0.25.2

v0.26.0-beta

v0.26.1

v0.27.0-beta

v0.27.1-beta

v0.27.2-beta

v0.27.3

v0.27.4

v0.28.0-beta

v0.28.1-beta

v0.28.2

v0.28.3

v0.29.0-beta

v0.29.1

v0.3.0

v0.3.1

v0.3.2

v0.3.3

v0.30.0-beta

v0.30.1-beta

v0.30.2-beta

v0.30.3-beta

v0.30.4

v0.30.5

v0.30.6

v0.30.7

v0.30.8

v0.31.0-beta

v0.31.1-beta

v0.31.2-beta

v0.31.3

v0.31.4

v0.31.5

v0.31.6

v0.32.0-beta

v0.32.1-beta

v0.32.2-beta

v0.32.3

v0.32.4

v0.33.0-beta

v0.33.1-beta

v0.33.2-beta

v0.33.3

v0.33.4

v0.33.5

v0.33.6

v0.33.7

v0.34.0-beta

v0.34.1

v0.34.2

v0.34.3

v0.35.0-beta

v0.35.1

v0.35.2

v0.36.0-beta

v0.36.1-beta

v0.36.2

v0.36.3

v0.36.4

v0.36.5

v0.37.0-beta

v0.37.1-beta

v0.37.2

v0.37.3

v0.37.4

v0.37.5

v0.37.6

v0.37.7

v0.37.8

v0.38.0-beta

v0.38.1-beta

v0.38.2

v0.38.3

v0.39.0-beta

v0.39.1-beta

v0.39.2-beta

v0.39.3

v0.39.4

v0.39.5

v0.39.6

v0.4.0-beta

v0.4.1

v0.40.0-beta

v0.40.1

v0.40.2

v0.40.3

v0.40.4

v0.40.5

v0.40.6

v0.40.7

v0.41.0-beta

v0.41.1-beta

v0.41.2-beta

v0.41.3-beta

v0.41.4-beta

v0.41.5

v0.41.6

v0.42.0-beta

v0.42.1

v0.42.2

v0.42.3

v0.42.4

v0.42.5

v0.42.6

v0.42.7

v0.43.0-beta

v0.43.1

v0.43.2

v0.43.3

v0.43.4

v0.44.0-beta

v0.44.1-beta

v0.44.2-beta

v0.44.3-beta

v0.44.4

v0.44.5

v0.44.6

v0.44.7

v0.44.8

v0.44.9

v0.45.0-beta

v0.45.1

v0.45.10

v0.45.2

v0.45.3

v0.45.4

v0.45.5

v0.45.6

v0.45.7

v0.45.8

v0.45.9

v0.46.0-beta

v0.46.1-beta

v0.46.2-beta

v0.46.3-beta

v0.46.4-beta

v0.46.5

v0.46.6

v0.46.7

v0.46.8

v0.46.9

v0.47.0-beta

v0.47.1-beta

v0.47.2

v0.47.3

v0.47.4

v0.47.5

v0.47.6

v0.47.7

v0.47.8

v0.48.0-beta

v0.48.1-beta

v0.48.2

v0.48.3

v0.48.4

v0.48.5

v0.48.6

v0.48.6-docker

v0.48.6.1

v0.48.7

v0.48.8

v0.48.9

v0.49.0-beta

v0.49.1-beta

v0.49.2-beta

v0.49.3

v0.49.4

v0.49.5

v0.5.0-beta

v0.5.1-beta

v0.5.2-beta

v0.5.3-beta

v0.5.4-beta

v0.5.5-beta

v0.5.6

v0.50.0-beta

v0.50.1

v0.50.2

v0.50.3

v0.51.0-beta

v0.51.1-beta

v0.51.2

v0.52.0-beta

v0.52.1-beta

v0.52.2

v0.52.3

v0.52.4

v0.53.0-beta

v0.53.1-beta

v0.53.2

v0.54.0-beta

v0.54.1-beta

v0.54.3

v0.55.0-beta

v0.55.1

v0.56.0-beta

v0.56.1

v0.56.2

v0.57.0-beta

v0.57.1-beta

v0.57.2

v0.57.3

v0.57.4

v0.57.5

v0.58.0-beta

v0.58.1-beta

v0.58.2-beta

v0.58.3-beta

v0.58.4

v0.58.5

v0.58.6

v0.58.7

v0.58.8

v0.59.0-beta

v0.59.1

v0.59.2

v0.59.3

v0.59.4

v0.6.0-beta

v0.6.1

v0.6.2

v0.60.0-beta

v0.60.1-beta

v0.60.2-beta

v0.60.3

v0.60.4

v0.61.0-beta

v0.61.1-beta

v0.61.10-beta

v0.61.11

v0.61.12

v0.61.13

v0.61.14

v0.61.15

v0.61.2-beta

v0.61.3-beta

v0.61.4-beta

v0.61.5-beta

v0.61.6-beta

v0.61.7-beta

v0.61.8-beta

v0.61.9-beta

v0.62.0-beta

v0.62.1-beta

v0.62.2

v0.62.3

v0.62.4

v0.62.5

v0.62.6

v0.63.0-beta

v0.63.1-beta

v0.63.1.1-beta

v0.63.2-beta

v0.63.3

v0.63.4

v0.63.5

v0.63.6

v0.7.0-beta

v0.8.0-beta

v0.8.1

v0.9.0-beta

v0.9.1-beta

v0.9.2

v0.90.0-beta

v0.90.1-beta

v0.90.10-beta

v0.90.11-beta

v0.90.12

v0.90.2-beta

v0.90.3

v0.90.4

v0.90.5-beta

v0.90.6-beta

v0.90.7-beta

v0.90.8

v0.90.9-beta

v0.91.1-beta

v0.91.2-beta

v0.91.4-beta

v0.91.4-rc1

v0.91.5

v0.91.6

v0.92.0-beta

v0.92.1-beta

v0.92.2-beta

v0.92.3-beta

v0.92.4

v0.92.5-beta

v0.92.6

v0.92.7

v0.93.0

v0.94.0

v0.94.1

v0.95.0

v0.96.0

v0.97.0

v0.97.1

v0.97.2

v0.98.0

v0.98.1

v0.99.0

v0.99.1

v0.99.2

v0.99.3

v0.99.4

v0.99.5

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-68621.json"