Improper Verification of Cryptographic Signature Affecting @axonflow/sdk package, versions <7.0.0


Severity

Recommended
0.0
high
0
10

CVSS assessment by Snyk's Security Team. Learn more

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-JS-AXONFLOWSDK-16636560
  • published11 May 2026
  • disclosed6 May 2026
  • creditAxonFlow

Introduced: 6 May 2026

CVE NOT AVAILABLE CWE-345  (opens in a new tab)
CWE-347  (opens in a new tab)

How to fix?

Upgrade @axonflow/sdk to version 7.0.0 or higher.

Overview

@axonflow/sdk is an AxonFlow SDK - Add invisible AI governance to your applications in 3 lines of code

Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature due to the lack of exposure of the HMAC-SHA256 signing key in the SDK's typed API, which prevents verification of the X-AxonFlow-Signature header on incoming webhook deliveries. An attacker can cause the receiving application to act on forged webhook events by sending crafted payloads to the webhook endpoint.

CVSS Base Scores

version 4.0
version 3.1