Vulnerability Description
Trilium Notes is an open-source, cross-platform hierarchical note taking application with focus on building large personal knowledge bases. Prior to 0.101.0, a critical timing attack vulnerability in Trilium's sync authentication endpoint allows unauthenticated remote attackers to recover HMAC authentication hashes byte-by-byte through statistical timing analysis. This enables complete authentication bypass without password knowledge, granting full read/write access to victim's knowledge base. This vulnerability is fixed in 0.101.0.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Triliumnotes | Trilium | < 0.101.0 |
Related Weaknesses (CWE)
References
- https://github.com/TriliumNext/Trilium/pull/8129Issue TrackingPatch
- https://github.com/TriliumNext/Trilium/security/advisories/GHSA-hxf6-58cx-qq3xExploitMitigationPatch
FAQ
What is CVE-2025-68621?
CVE-2025-68621 is a vulnerability with a CVSS score of 7.4 (HIGH). Trilium Notes is an open-source, cross-platform hierarchical note taking application with focus on building large personal knowledge bases. Prior to 0.101.0, a critical timing attack vulnerability in...
How severe is CVE-2025-68621?
CVE-2025-68621 has been rated HIGH with a CVSS base score of 7.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-68621?
Check the references section above for vendor advisories and patch information. Affected products include: Triliumnotes Trilium.