GHSA-3wfh-36rx-9537: 
Java vulnerability analysis and mitigation

SCRAM (Salted Challenge Response Authentication Mechanism), a component of the Simple Authentication and Security Layer (SASL, RFC 4422) authentication mechanisms, was found to contain a timing attack vulnerability (CVE-2025-59432) prior to version 3.2. The vulnerability was discovered and disclosed on September 16, 2025, affecting the SCRAM Java implementation (GitHub Advisory).

The vulnerability stems from the usage of Arrays.equals for comparing secret values such as client proofs and server signatures. The Arrays.equals method performs a short-circuit comparison, causing execution time to vary based on the number of matching leading bytes. This timing discrepancy creates a potential vector for timing side-channel attacks. The vulnerability has been assigned a CVSS v4.0 base score of 6.6 (Moderate) with vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U (GitHub Advisory, Red Hat).

The vulnerability potentially allows attackers to perform timing side-channel attacks and infer sensitive authentication material. All users relying on SCRAM authentication are impacted by this security issue (GitHub Advisory).

The vulnerability has been patched in version 3.2 by replacing Arrays.equals with MessageDigest.isEqual, which ensures constant-time comparison. Users are strongly advised to upgrade to version 3.2 or later as this is the only reliable mitigation (GitHub Advisory, GitHub Commit).