Homepage
About Snyk

Authentication Bypass Affecting svix package, versions <1.17.0

0.0
medium

Snyk CVSS

    Attack Complexity High
    User Interaction Required
    Integrity High

    Threat Intelligence

    EPSS 0.05% (15th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-RUST-SVIX-6230729
  • published 12 Feb 2024
  • disclosed 6 Feb 2024
  • credit Fredrik Meringdal
Report a new vulnerability Found a mistake?

Introduced: 6 Feb 2024

CVE-2024-21491 Open this link in a new tab
CWE-288 Open this link in a new tab

How to fix?

Upgrade svix to version 1.17.0 or higher.

Overview

Affected versions of this package are vulnerable to Authentication Bypass due to an issue in the verify function where signatures of different lengths are incorrectly compared. An attacker can bypass signature verification by providing a shorter signature that matches the beginning of the actual signature.

Note:

The attacker would need to know a victim uses the Rust library for verification,no easy way to automatically check that; and uses webhooks by a service that uses Svix, and then figure out a way to craft a malicious payload that will actually include all of the correct identifiers needed to trick the receivers to cause actual issues.