http-signature@0.9.11 vulnerabilities

Reference implementation of Joyent's HTTP Signature scheme.

Direct Vulnerabilities

Known vulnerabilities in the http-signature package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
Timing Attack

http-signature is a reference implementation of Joyent's HTTP Signature scheme.

Affected versions of the package are vulnerable to Timing Attacks due to time-variable comparison of signatures.

The library implemented a character to character comparison, similar to the built-in string comparison mechanism, ===, and not a time constant string comparison. As a result, the comparison will fail faster when the first characters in the signature are incorrect. An attacker can use this difference to perform a timing attack, essentially allowing them to guess the signature one character at a time.

You can read more about timing attacks in Node.js on the Snyk blog.

How to fix Timing Attack?

Upgrade http-signature to version 1.0.0 or higher.

<1.0.0
  • M
Unsigned Request Headers

http-signature is a Reference implementation of Joyent's HTTP Signature scheme. Affected versions of the package are vulnerable to header forgery, due to the header names not being signed. An attacker could switch the header list order and header value order ending up wit the same signature for two separate requests.

How to fix Unsigned Request Headers?

Upgrade http-signature to version 0.10.0 or higher.

>=0.9.0 <0.10.0
  • M
Unsigned Request Headers

http-signature is a Reference implementation of Joyent's HTTP Signature scheme. Affected versions of the package are vulnerable to header forgery, due to the header names not being signed. An attacker could switch the header list order and header value order ending up wit the same signature for two separate requests.

How to fix Unsigned Request Headers?

Upgrade http-signature to version 0.10.0 or higher.

>=0.9.0 <0.10.0