fernet@0.0.1 vulnerabilities

Javascript implementation of Fernet symmetric encryption https://github.com/kr/fernet-spec

  • latest version

    0.3.2

  • latest non vulnerable version

  • first published

    10 years ago

  • latest version published

    10 months ago

  • licenses detected

  • Direct Vulnerabilities

    Known vulnerabilities in the fernet package. This does not include vulnerabilities belonging to this package’s dependencies.

    How to fix?

    Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

    Fix for free
    VulnerabilityVulnerable Version
    • M
    Timing Attack

    fernet is a Javascript implementation of Fernet symmetric encryption. Affected versions of the package are vulnerable to a timing attack.

    The library implemented a character to character comparison, similar to the built-in string comparison mechanism, ===, and not a time constant string comparison. As a result, the comparison will fail faster when the first characters in the HMAC are incorrect. An attacker can use this difference to perform a timing attack, essentially allowing them to guess the HMAC one character at a time.

    You can read more about timing attacks in Node.js on the Snyk blog.

    How to fix Timing Attack?

    Upgrade fernet to version 0.1.0 or higher.

    >=0.0.1 <0.1.0