Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1td2hmLXZocjUtN2oyM84AA_gO

whatsapp-api-js fails to validate message's signature

Impact

Incorrect Access Control, anyone using the post or verifyRequestSignature methods to handle messages is impacted.

Patches

Patched in version 4.0.3.

Workarounds

It's possible to check the payload validation using the WhatsAppAPI.verifyRequestSignature and expect false when the signature is valid.

function doPost(payload, header_signature) {
    if (whatsapp.verifyRequestSignature(payload.toString(), header_signature) {
        throw 403;
    }
    
    // Now the payload is correctly verified
    whatsapp.post(payload);
}

References

https://github.com/Secreto31126/whatsapp-api-js/pull/371

Permalink: https://github.com/advisories/GHSA-mwhf-vhr5-7j23
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1td2hmLXZocjUtN2oyM84AA_gO
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 2 months ago
Updated: 2 months ago

CVSS Score: 5.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N

Identifiers: GHSA-mwhf-vhr5-7j23, CVE-2024-45607
References:

Repository: https://github.com/Secreto31126/whatsapp-api-js
Blast Radius: 5.8

Affected Packages

npm:whatsapp-api-js

Dependent packages: 0
Dependent repositories: 10
Downloads: 3,712 last month
Affected Version Ranges: >= 4.0.0, < 4.0.3
Fixed in: 4.0.3
All affected versions: 4.0.0, 4.0.1, 4.0.2
All unaffected versions: 0.0.1, 0.0.2, 0.0.3, 0.0.4, 0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.1.4, 0.1.6, 0.2.0, 0.2.1, 0.2.2, 0.2.3, 0.3.0, 0.3.1, 0.4.0, 0.4.1, 0.4.2, 0.5.0, 0.6.1, 0.6.2, 0.7.0, 0.8.0, 0.8.1, 0.8.2, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 2.0.0, 2.1.0, 2.1.1, 2.1.2, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.4.0, 2.5.0, 2.5.1, 2.6.0, 3.0.0, 3.0.1, 3.1.0, 4.0.3, 4.1.0, 4.1.1