Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS13Mjc3LXdwcWYtcmNmds4AA5H1

Svix vulnerable to improper comparison of different-length signatures

The Webhook::verify function incorrectly compared signatures of different lengths - the two signatures would only be compared up to the length of the shorter signature. This allowed an attacker to pass in v1, as the signature, which would always pass verification.

Permalink: https://github.com/advisories/GHSA-w277-wpqf-rcfv
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS13Mjc3LXdwcWYtcmNmds4AA5H1
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 24 days ago
Updated: 24 days ago


Identifiers: GHSA-w277-wpqf-rcfv
References:

Affected Packages

cargo:svix
Versions: < 1.17.0
Fixed in: 1.17.0