http-signature@0.9.4 vulnerabilities

Reference implementation of Joyent's HTTP Signature scheme.

latest version

1.4.0
latest non vulnerable version

1.4.0
first published

13 years ago
latest version published

a year ago
licenses detected
- MIT
  >=0
View http-signature package health on Snyk Advisor Open this link in a new tab

Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the http-signature package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability Vulnerable Version

Vulnerability	Vulnerable Version
M Timing Attack `http-signature` is a reference implementation of Joyent's HTTP Signature scheme. Affected versions of the package are vulnerable to Timing Attacks due to time-variable comparison of signatures. The library implemented a character to character comparison, similar to the built-in string comparison mechanism, `===`, and not a time constant string comparison. As a result, the comparison will fail faster when the first characters in the signature are incorrect. An attacker can use this difference to perform a timing attack, essentially allowing them to guess the signature one character at a time. You can read more about timing attacks in Node.js on the Snyk blog. How to fix Timing Attack? Upgrade `http-signature` to version 1.0.0 or higher.	<1.0.0
M Unsigned Request Headers `http-signature` is a Reference implementation of Joyent's HTTP Signature scheme. Affected versions of the package are vulnerable to header forgery, due to the header names not being signed. An attacker could switch the header list order and header value order ending up wit the same signature for two separate requests. How to fix Unsigned Request Headers? Upgrade `http-signature` to version 0.10.0 or higher.	>=0.9.0 <0.10.0

Timing Attack

http-signature is a reference implementation of Joyent's HTTP Signature scheme.

Affected versions of the package are vulnerable to Timing Attacks due to time-variable comparison of signatures.

The library implemented a character to character comparison, similar to the built-in string comparison mechanism, ===, and not a time constant string comparison. As a result, the comparison will fail faster when the first characters in the signature are incorrect. An attacker can use this difference to perform a timing attack, essentially allowing them to guess the signature one character at a time.

You can read more about timing attacks in Node.js on the Snyk blog.

How to fix Timing Attack?

Upgrade http-signature to version 1.0.0 or higher.

<1.0.0

Unsigned Request Headers

http-signature is a Reference implementation of Joyent's HTTP Signature scheme. Affected versions of the package are vulnerable to header forgery, due to the header names not being signed. An attacker could switch the header list order and header value order ending up wit the same signature for two separate requests.

How to fix Unsigned Request Headers?

Upgrade http-signature to version 0.10.0 or higher.

>=0.9.0 <0.10.0

Go back to all versions of this package

http-signature@0.9.4 vulnerabilities

Reference implementation of Joyent's HTTP Signature scheme.

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities