Skip to content

Svix vulnerable to improper comparison of different-length signatures

Moderate severity GitHub Reviewed Published Feb 6, 2024 to the GitHub Advisory Database • Updated Feb 6, 2024

Package

cargo svix (Rust)

Affected versions

< 1.17.0

Patched versions

1.17.0

Description

The Webhook::verify function incorrectly compared signatures of different lengths - the two signatures would only be compared up to the length of the shorter signature. This allowed an attacker to pass in v1, as the signature, which would always pass verification.

References

Published to the GitHub Advisory Database Feb 6, 2024
Reviewed Feb 6, 2024
Last updated Feb 6, 2024

Severity

Moderate

Weaknesses

No CWEs

CVE ID

No known CVE

GHSA ID

GHSA-w277-wpqf-rcfv

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.