Finding NODE-AUTH-04
File modules/auth/controllers/auth.password.controller.js:35-37
Three distinct responses (unknown email / known-OAuth / known-local) enumerate registered emails; hashing skipped for unknown emails adds a timing oracle.
Fix Always respond identically (e.g. 200 "If that email exists, a reset link has been sent") and run a constant-time dummy hash when the user is not found.
Devkit Node clean audit 2026-05-29 (rev d42eb12). Verified real by an independent refute-by-default reviewer. Fix flows through /feature #N → /verify-qa → /pull-request-finalize.
Finding NODE-AUTH-04
File
modules/auth/controllers/auth.password.controller.js:35-37Three distinct responses (unknown email / known-OAuth / known-local) enumerate registered emails; hashing skipped for unknown emails adds a timing oracle.
Fix Always respond identically (e.g. 200 "If that email exists, a reset link has been sent") and run a constant-time dummy hash when the user is not found.
Devkit Node clean audit 2026-05-29 (rev d42eb12). Verified real by an independent refute-by-default reviewer. Fix flows through /feature #N → /verify-qa → /pull-request-finalize.