RUSTSEC-2024-0010: Vulnerability in svix

Rust Crates.io Security Advisory


History
Edit
JSON (OSV)

RUSTSEC-2024-0010

Improper comparison of different-length signatures


Reported
Issued

Package

svix
(crates.io)

Type

Vulnerability

Categories
References
Patched
  • >=1.17.0
Affected Functions
Version
svix::webhooks::Webhook::verify
  • <1.17.0

Description

The Webhook::verify function incorrectly compared signatures of
different lengths - the two signatures would only be compared up to
the length of the shorter signature. This allowed an attacker to
pass in v1, as the signature, which would always pass verification.

Advisory available under CC0-1.0
license.

READ MORE