http-signature 0.9.10 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the http-signature package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
M Timing Attack `http-signature` is a reference implementation of Joyent's HTTP Signature scheme. Affected versions of the package are vulnerable to Timing Attacks due to time-variable comparison of signatures. The library implemented a character to character comparison, similar to the built-in string comparison mechanism, `===`, and not a time constant string comparison. As a result, the comparison will fail faster when the first characters in the signature are incorrect. An attacker can use this difference to perform a timing attack, essentially allowing them to guess the signature one character at a time. You can read more about timing attacks in Node.js on the Snyk blog. How to fix Timing Attack? Upgrade `http-signature` to version 1.0.0 or higher.	<1.0.0
M Unsigned Request Headers `http-signature` is a Reference implementation of Joyent's HTTP Signature scheme. Affected versions of the package are vulnerable to header forgery, due to the header names not being signed. An attacker could switch the header list order and header value order ending up wit the same signature for two separate requests. How to fix Unsigned Request Headers? Upgrade `http-signature` to version 0.10.0 or higher.	>=0.9.0 <0.10.0

Vulnerability

Vulnerable Version

Timing Attack

http-signature is a reference implementation of Joyent's HTTP Signature scheme.

Affected versions of the package are vulnerable to Timing Attacks due to time-variable comparison of signatures.

The library implemented a character to character comparison, similar to the built-in string comparison mechanism, ===, and not a time constant string comparison. As a result, the comparison will fail faster when the first characters in the signature are incorrect. An attacker can use this difference to perform a timing attack, essentially allowing them to guess the signature one character at a time.

You can read more about timing attacks in Node.js on the Snyk blog.

How to fix Timing Attack?

Upgrade http-signature to version 1.0.0 or higher.

<1.0.0

Unsigned Request Headers

http-signature is a Reference implementation of Joyent's HTTP Signature scheme. Affected versions of the package are vulnerable to header forgery, due to the header names not being signed. An attacker could switch the header list order and header value order ending up wit the same signature for two separate requests.

How to fix Unsigned Request Headers?

Upgrade http-signature to version 0.10.0 or higher.

>=0.9.0 <0.10.0

http-signature@0.9.10 vulnerabilities

Reference implementation of Joyent's HTTP Signature scheme.

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically