Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
6DescriptionGitHub Advisory
4ga Boards is a boards system for realtime project management. Prior to 3.3.5, 4ga Boards is vulnerable to user enumeration via a timing side-channel in the login endpoint (POST /api/access-tokens). When an invalid username/email is provided, the server responds immediately (~17ms average). When a valid username/email is provided with an incorrect password, the server first performs a bcrypt.compareSync() operation (~74ms average) before responding. This ~4.4× timing difference is trivially detectable even over a network - a single request suffices. This vulnerability is fixed in 3.3.5.
AnalysisAI
4ga Boards prior to version 3.3.5 leaks valid usernames and email addresses through response timing analysis on the login endpoint. An unauthenticated attacker can distinguish between invalid credentials (where the username/email does not exist) and valid credentials with an incorrect password by measuring response times, with a ~4.4× timing difference detectable in a single request over the network. This enables user enumeration attacks without brute-force constraints, allowing reconnaissance for subsequent account takeover attempts.
Technical ContextAI
The vulnerability exploits a timing side-channel in the POST /api/access-tokens login endpoint. The root cause (CWE-208: Observable Timing Discrepancy) stems from the application's conditional execution flow: when an invalid username or email is submitted, the server returns immediately (~17ms) without attempting password verification. When a valid username or email is provided, the server executes bcrypt.compareSync() to verify the password (~74ms) before responding. Since bcrypt is computationally expensive by design, this comparison introduces a measurable delay. The timing differential is large enough to be reliably detected over network latency, which typically adds 10-50ms jitter. The application uses the standard cpe:2.3:a:rargames:4gaboards product CPE, indicating this affects the core 4ga Boards product line across affected versions.
RemediationAI
Upgrade 4ga Boards to version 3.3.5 or later, which includes the fix for the timing side-channel vulnerability. If immediate patching is not possible, implement the following compensating control: modify the login endpoint to add artificial delay or constant-time comparison logic so that both valid and invalid username responses have identical latency profiles (e.g., always execute a bcrypt comparison operation regardless of username validity, or add a fixed delay such that all responses return after ~100ms). This mitigates user enumeration but does not eliminate the vulnerability and may degrade user experience. Rate-limiting on the /api/access-tokens endpoint (e.g., 5 requests per IP per minute) can reduce the statistical reliability of timing attacks but does not prevent them entirely. The primary recommended action is to deploy version 3.3.5 or later from the vendor advisory URL.
Same weakness CWE-208 – Observable Timing Discrepancy
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-25612