GHSA-mwhf-vhr5-7j23
Suggest an improvement- Source
- https://github.com/advisories/GHSA-mwhf-vhr5-7j23
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/09/GHSA-mwhf-vhr5-7j23/GHSA-mwhf-vhr5-7j23.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-mwhf-vhr5-7j23
- Aliases
- Published
- 2024-09-12T21:29:17Z
- Modified
- 2024-09-12T21:58:08.792359Z
- Severity
-
- 5.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N CVSS Calculator
- 5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N CVSS Calculator
- Summary
- whatsapp-api-js fails to validate message's signature
- Details
-
Impact
Incorrect Access Control, anyone using the post or verifyRequestSignature methods to handle messages is impacted.
Patches
Patched in version 4.0.3.
Workarounds
It's possible to check the payload validation using the WhatsAppAPI.verifyRequestSignature and expect false when the signature is valid.
function doPost(payload, header_signature) { if (whatsapp.verifyRequestSignature(payload.toString(), header_signature) { throw 403; } // Now the payload is correctly verified whatsapp.post(payload); }References
https://github.com/Secreto31126/whatsapp-api-js/pull/371
- Database specific
{ "github_reviewed_at": "2024-09-12T21:29:17Z", "cwe_ids": [ "CWE-347" ], "nvd_published_at": "2024-09-12T20:15:05Z", "severity": "MODERATE", "github_reviewed": true }- References
-
- https://github.com/Secreto31126/whatsapp-api-js/security/advisories/GHSA-mwhf-vhr5-7j23
- https://nvd.nist.gov/vuln/detail/CVE-2024-45607
- https://github.com/Secreto31126/whatsapp-api-js/pull/371
- https://github.com/Secreto31126/whatsapp-api-js/commit/56620c65126427496a94d176082fbd8393a95b6d
- https://github.com/Secreto31126/whatsapp-api-js
Affected packages
npm / whatsapp-api-js
Package
- Name
- whatsapp-api-js
- View open source insights on deps.dev
- Purl
- pkg:npm/whatsapp-api-js