CVE-2024-23771

CRITICALNVD 9.89.8—

9.8

darkhttpd before 1.15 uses strcmp (which is not constant time) to verify authentication, which makes it easier for remote attackers to bypass authentication via a timing side channel.

CVSS v3: 9.8
EG Score: 9.8(medium)
EPSS: 43.3%
KEV: Not listed

Published

January 22, 2024

Last Modified

May 30, 2025

Advisory Details (3)

Auto-updated May 30, 2026

Patch available. Sources: github_commit.

generic

Comparing v1.14...v1.15 · emikulic/darkhttpd · GitHub

https://github.com/emikulic/darkhttpd/compare/v1.14...v1.15

github_commit Patch Available

commit f477619d49f3 (emikulic/darkhttpd)

Patch available: emikulic/darkhttpd v1.15 (contains commit f477619d49f3)

https://github.com/emikulic/darkhttpd/commit/f477619d49f3c4de9ad59bd194265a48ddc03f04

generic

oss-security - Re: darkhttpd: timing attack and local leak of HTTP basic auth credentials

http://www.openwall.com/lists/oss-security/2024/01/25/1

Weakness Classification(1)

MITRE Common Weakness Enumeration — the root-cause categories this CVE belongs to.

CWE-203Observable Discrepancy (Information Exposure via Side Channel)

Data Freshness Timeline

(refreshed 14× in last 7d / 20× in last 30d)

Every time one of our enrichment pipelines (NVD, MITRE cvelistV5, EPSS, CISA KEV, GHSA, OSV, vendor advisories) ran against this CVE. Most recent first.

2026-06-02 20:12 UTCepss_batch
2026-06-02 20:12 UTCepss_batch
2026-06-01 13:51 UTCepss_batch
2026-06-01 13:51 UTCepss_batch
2026-06-01 13:51 UTCepss_batch
2026-05-31 22:30 UTCepss_batch
2026-05-31 22:30 UTCepss_batch
2026-05-31 00:15 UTCepss_batch
2026-05-31 00:15 UTCepss_batch
2026-05-29 13:43 UTCepss_batch
2026-05-29 13:43 UTCepss_batch
2026-05-28 13:44 UTCepss_batch
2026-05-28 13:44 UTCepss_batch
2026-05-28 13:44 UTCepss_batch
2026-05-27 13:40 UTCepss_batch
2026-05-27 13:40 UTCepss_batch
2026-05-26 13:43 UTCepss_batch
2026-05-26 13:43 UTCepss_batch
2026-05-26 07:18 UTCepss_batch
2026-05-26 07:18 UTCepss_batch

Frequently asked(5)

What is CVE-2024-23771?

CVE-2024-23771 is a critical vulnerability published on January 22, 2024. darkhttpd before 1.15 uses strcmp (which is not constant time) to verify authentication, which makes it easier for remote attackers to bypass authentication via a timing side channel.

When was CVE-2024-23771 disclosed?

CVE-2024-23771 was first published in the National Vulnerability Database on January 22, 2024, with the most recent update on May 30, 2025. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.

Is CVE-2024-23771 actively exploited?

CVE-2024-23771 is not currently on CISA's Known Exploited Vulnerabilities catalog. FIRST EPSS estimates a 43.3% percentile likelihood of exploitation in the next 30 days — higher percentiles indicate greater predicted risk.

What is the CVSS score of CVE-2024-23771?

CVE-2024-23771 has a CVSS v3 base score of 9.8 (NVD).

How do I remediate CVE-2024-23771?

Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2024-23771, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

See which npm, PyPI, Go, and Maven packages are affected by CVE-2024-23771

Explore →

Is Your Infrastructure Affected by CVE-2024-23771?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.

Start Free Scan →Browse All CVEs

CVE-2024-23771

📅 Published

🔄 Last Modified

📋 Advisory Details (3)