UI Discrepancy in Password in heroiclabs/nakama


Reported on

Sep 4th 2022


There is UI discrepancy in the user password section in nakama console. The UI presents the following message to the user for a short password: "Password is required, must be 8 chars or longer and consist of at least a capital letter, a small letter and a number". However, the backend accepts a password with just 6 characters which can be seen in the following response from the server.

HTTP Request

POST /v2/console/user HTTP/1.1
Authorization: Bearer <token>
Cookie: <cookies>


The request sends a password of just 6 characters and still the user account is created.


The user interface provides feedback that causes the user to believe that the feature is in a secure state, although it is not working as intended securely.

We are processing your report and will contact the heroiclabs/nakama team within 24 hours. 7 months ago
Niraj Khatiwada modified the report
7 months ago
We have contacted a member of the heroiclabs/nakama team and are waiting to hear back 7 months ago
heroiclabs/nakama maintainer has acknowledged this report 7 months ago
Niraj Khatiwada
5 months ago


Any updates?

Andrei Mihu modified the Severity from High (7.5) to None (0) 2 months ago
Andrei Mihu modified the Severity from None (0) to Medium (5.3) 2 months ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Andrei Mihu validated this vulnerability 2 months ago
Niraj Khatiwada has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Andrei Mihu marked this as fixed in 3.16.0 with commit ada6f9 2 months ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
This vulnerability is scheduled to go public on Feb 1st 2023
console_user.go#L171 has been validated
Andrei Mihu published this vulnerability 2 months ago
to join this conversation