Authentication Bypass Affecting svix package, versions <1.17.0


Severity

Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.05% (24th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-RUST-SVIX-6230729
  • published12 Feb 2024
  • disclosed6 Feb 2024
  • creditFredrik Meringdal

Introduced: 6 Feb 2024

CVE-2024-21491  (opens in a new tab)
CWE-288  (opens in a new tab)

How to fix?

Upgrade svix to version 1.17.0 or higher.

Overview

Affected versions of this package are vulnerable to Authentication Bypass due to an issue in the verify function where signatures of different lengths are incorrectly compared. An attacker can bypass signature verification by providing a shorter signature that matches the beginning of the actual signature.

Note:

The attacker would need to know a victim uses the Rust library for verification,no easy way to automatically check that; and uses webhooks by a service that uses Svix, and then figure out a way to craft a malicious payload that will actually include all of the correct identifiers needed to trick the receivers to cause actual issues.

CVSS Scores

version 3.1