Cxa6b1c6b3-0f59 @ Npm-http-signature-0.10.1

**Checkmarx \(SCA\):** Vulnerable Package
**Vulnerability:** [Read More ](https://devhub.checkmarx.com/cve-details/Cxa6b1c6b3-0f59) about Cxa6b1c6b3-0f59
**Checkmarx Project:** [cx\-boris\-goman/AutoPR](https://rel-candidate.perf.cxast.net/projects/4f3b5075-3c86-4854-8fd3-efd609980d39/overview?branch=kid)
**Repository URL:** [https://github.com/cx\-boris\-goman/AutoPR](https://github.com/cx-boris-goman/AutoPR)
**Branch:** kid
**Scan ID:** [bfaa74de\-6358\-4edb\-a528\-1d669bc0863c](https://rel-candidate.perf.cxast.net/projects/4f3b5075-3c86-4854-8fd3-efd609980d39/scans?id=bfaa74de-6358-4edb-a528-1d669bc0863c&branch=kid)


----
Http-signature prior to 1.0.0 is vulnerable to Timing Attacks against the signature verification. The library performs strict equality comparison (`===`) to validate the signatures. This built-in JavaScript comparison works by comparing the values character by character, meaning the comparison returns in different amounts of time depending on how many characters match. This can be used to guess the valid signature one character at a time. The issue was mitigated by double-hashing before comparing values. 







----
**Additional Info**
**Attack vector:** NETWORK
**Attack complexity:** HIGH
**Confidentiality impact:** LOW
**Availability impact:** NONE
**Remediation Upgrade Recommendation:** 1.0.0


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Cxa6b1c6b3-0f59 @ Npm-http-signature-0.10.1 #399

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Cxa6b1c6b3-0f59 @ Npm-http-signature-0.10.1 #399

Description

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions