1.4.0
13 years ago
1 years ago
Known vulnerabilities in the http-signature package. This does not include vulnerabilities belonging to this package’s dependencies.
Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for freeVulnerability | Vulnerable Version |
---|---|
Affected versions of the package are vulnerable to Timing Attacks due to time-variable comparison of signatures. The library implemented a character to character comparison, similar to the built-in string comparison mechanism, You can read more about timing attacks in Node.js on the Snyk blog. How to fix Timing Attack? Upgrade | <1.0.0 |
How to fix Unsigned Request Headers? Upgrade | >=0.9.0 <0.10.0 |