Nixpkgs Security Tracker

Published

Permalink CVE-2025-68621

updated 2 weeks ago by @LeSuisse Activity log

Created automatic suggestion 2 weeks, 1 day ago
@LeSuisse accepted 2 weeks ago
@LeSuisse published on GitHub 2 weeks ago

Trilium Notes has a Timing Attack Vulnerability in /api/login/sync

Trilium Notes is an open-source, cross-platform hierarchical note taking application with focus on building large personal knowledge bases. Prior to 0.101.0, a critical timing attack vulnerability in Trilium's sync authentication endpoint allows unauthenticated remote attackers to recover HMAC authentication hashes byte-by-byte through statistical timing analysis. This enables complete authentication bypass without password knowledge, granting full read/write access to victim's knowledge base. This vulnerability is fixed in 0.101.0.

Affected products

Trilium

==< 0.101.0

Matching in nixpkgs

pkgs.trilium-server

Hierarchical note taking application with focus on building large personal knowledge bases

nixos-unstable 0.101.3
- nixpkgs-unstable 0.101.3
- nixos-unstable-small 0.101.3
nixos-25.11 0.99.5
- nixos-25.11-small 0.99.5
- nixpkgs-25.11-darwin 0.99.5

pkgs.trilium-desktop

Hierarchical note taking application with focus on building large personal knowledge bases

pkgs.trilium-next-desktop

Hierarchical note taking application with focus on building large personal knowledge bases

nixos-unstable 0.101.3
- nixpkgs-unstable 0.101.3
- nixos-unstable-small 0.101.3
nixos-25.11 0.99.5
- nixos-25.11-small 0.99.5
- nixpkgs-25.11-darwin 0.99.5

Package maintainers

@eliandoran Elian Doran <contact@eliandoran.me>
@FliegendeWurst Arne Keller <arne.keller@posteo.de>

Upstream advisory: https://github.com/TriliumNext/Trilium/security/advisories/GHSA-hxf6-58cx-qq3x
Upstream PR: https://github.com/TriliumNext/Trilium/pull/8129

Suggestions search

Affected products

Matching in nixpkgs

pkgs.trilium-server

pkgs.trilium-desktop

pkgs.trilium-next-desktop

Package maintainers