Timing Attack Affecting http-signature package, versions <1.0.0


Severity

Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Timing Attack vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDnpm:http-signature:20150122
  • published28 Jun 2017
  • disclosed21 Jan 2015
  • creditAlok Menghrajani

Introduced: 21 Jan 2015

CVE NOT AVAILABLE CWE-310  (opens in a new tab)

How to fix?

Upgrade http-signature to version 1.0.0 or higher.

Overview

http-signature is a reference implementation of Joyent's HTTP Signature scheme.

Affected versions of the package are vulnerable to Timing Attacks due to time-variable comparison of signatures.

The library implemented a character to character comparison, similar to the built-in string comparison mechanism, ===, and not a time constant string comparison. As a result, the comparison will fail faster when the first characters in the signature are incorrect. An attacker can use this difference to perform a timing attack, essentially allowing them to guess the signature one character at a time.

You can read more about timing attacks in Node.js on the Snyk blog.

CVSS Scores

version 3.1