http-signature@0.10.1

Vulnerabilities

1 via 1 paths

Dependencies

3

Source

npm

Find, fix and prevent vulnerabilities in your code.

Severity
  • 1
Status
  • 1
  • 0
  • 0

medium severity

Timing Attack

  • Vulnerable module: http-signature
  • Introduced through: http-signature@0.10.1

Detailed paths

  • Introduced through: http-signature@0.10.1
    Remediation: Upgrade to http-signature@1.0.0.

Overview

http-signature is a reference implementation of Joyent's HTTP Signature scheme.

Affected versions of the package are vulnerable to Timing Attacks due to time-variable comparison of signatures.

The library implemented a character to character comparison, similar to the built-in string comparison mechanism, ===, and not a time constant string comparison. As a result, the comparison will fail faster when the first characters in the signature are incorrect. An attacker can use this difference to perform a timing attack, essentially allowing them to guess the signature one character at a time.

You can read more about timing attacks in Node.js on the Snyk blog.

Remediation

Upgrade http-signature to version 1.0.0 or higher.

References