GHSA-w277-wpqf-rcfv: Svix vulnerable to improper comparison of different-length signatures

February 6, 2024

The Webhook::verify function incorrectly compared signatures of different lengths - the two signatures would only be compared up to the length of the shorter signature. This allowed an attacker to pass in v1, as the signature, which would always pass verification.

References

github.com/advisories/GHSA-w277-wpqf-rcfv
github.com/svix/svix-webhooks
github.com/svix/svix-webhooks/commit/958821bd3b956d1436af65f70a0964d4ffb7daf6
github.com/svix/svix-webhooks/pull/1190
rustsec.org/advisories/RUSTSEC-2024-0010.html

Detect and mitigate GHSA-w277-wpqf-rcfv with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →