http-signature@0.9.4 vulnerabilities

Reference implementation of Joyent's HTTP Signature scheme.

  • latest version

    1.4.0

  • latest non vulnerable version

  • first published

    13 years ago

  • latest version published

    1 years ago

  • licenses detected

  • Direct Vulnerabilities

    Known vulnerabilities in the http-signature package. This does not include vulnerabilities belonging to this package’s dependencies.

    How to fix?

    Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

    Fix for free
    VulnerabilityVulnerable Version
    • M
    Timing Attack

    http-signature is a reference implementation of Joyent's HTTP Signature scheme.

    Affected versions of the package are vulnerable to Timing Attacks due to time-variable comparison of signatures.

    The library implemented a character to character comparison, similar to the built-in string comparison mechanism, ===, and not a time constant string comparison. As a result, the comparison will fail faster when the first characters in the signature are incorrect. An attacker can use this difference to perform a timing attack, essentially allowing them to guess the signature one character at a time.

    You can read more about timing attacks in Node.js on the Snyk blog.

    How to fix Timing Attack?

    Upgrade http-signature to version 1.0.0 or higher.

    <1.0.0
    • M
    Unsigned Request Headers

    http-signature is a Reference implementation of Joyent's HTTP Signature scheme. Affected versions of the package are vulnerable to header forgery, due to the header names not being signed. An attacker could switch the header list order and header value order ending up wit the same signature for two separate requests.

    How to fix Unsigned Request Headers?

    Upgrade http-signature to version 0.10.0 or higher.

    >=0.9.0 <0.10.0