Timing side-channel vulnerability in verifykey(). The method applied a random delay only on verification failures, allowing an attacker to statistically distinguish valid from invalid API keys by measuring response latencies. With enough repeated requests, an adversary could infer whether a keyid corresponds to a valid key, potentially accelerating brute-force or enumeration attacks.
Affected: all users relying on verify_key() for API key authentication prior to the fix.
Yes. Users should upgrade to version 1.1.0 (or the version containing this fix). The patch applies a uniform random delay (mindelay to maxdelay) to all responses regardless of outcome, eliminating the timing correlation.