fernet@0.0.1 vulnerabilities

Javascript implementation of Fernet symmetric encryption https://github.com/kr/fernet-spec

Direct Vulnerabilities

Known vulnerabilities in the fernet package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
Timing Attack

fernet is a Javascript implementation of Fernet symmetric encryption. Affected versions of the package are vulnerable to a timing attack.

The library implemented a character to character comparison, similar to the built-in string comparison mechanism, ===, and not a time constant string comparison. As a result, the comparison will fail faster when the first characters in the HMAC are incorrect. An attacker can use this difference to perform a timing attack, essentially allowing them to guess the HMAC one character at a time.

You can read more about timing attacks in Node.js on the Snyk blog.

How to fix Timing Attack?

Upgrade fernet to version 0.1.0 or higher.

>=0.0.1 <0.1.0