connect-redis-sessions@0.2.0

Vulnerabilities

1 via 1 paths

Dependencies

18

Source

npm

Find, fix and prevent vulnerabilities in your code.

Severity
  • 1
Status
  • 1
  • 0
  • 0

medium severity

Non-Constant Time String Comparison

  • Vulnerable module: cookie-signature
  • Introduced through: express-session@1.0.4

Detailed paths

  • Introduced through: connect-redis-sessions@0.2.0 express-session@1.0.4 cookie-signature@1.0.3
    Remediation: Upgrade to connect-redis-sessions@1.2.0.

Overview

'cookie-signature' is a library for signing cookies.

Versions before 1.0.4 of the library use the built-in string comparison mechanism, ===, and not a time constant string comparison. As a result, the comparison will fail faster when the first characters in the token are incorrect. An attacker can use this difference to perform a timing attack, essentially allowing them to guess the secret one character at a time.

You can read more about timing attacks in Node.js on the Snyk blog: https://snyk.io/blog/node-js-timing-attack-ccc-ctf/

Remediation

Upgrade to 1.0.4 or greater.

References