GHSA-w277-wpqf-rcfv

Source

https://github.com/advisories/GHSA-w277-wpqf-rcfv

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-w277-wpqf-rcfv/GHSA-w277-wpqf-rcfv.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-w277-wpqf-rcfv

Aliases

Withdrawn

2026-01-23T22:35:18Z

Published

2024-02-06T20:30:14Z

Modified

2026-02-03T03:08:16.513003Z

Summary

Duplicate Advisory: Svix vulnerable to improper comparison of different-length signatures

Details

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-747x-5m58-mq97. This link is maintained to preserve external references.

Original Description

The Webhook::verify function incorrectly compared signatures of different lengths - the two signatures would only be compared up to the length of the shorter signature. This allowed an attacker to pass in v1, as the signature, which would always pass verification.

Database specific

{
    "nvd_published_at": null,
    "github_reviewed_at": "2024-02-06T20:30:14Z",
    "github_reviewed": true,
    "severity": "MODERATE",
    "cwe_ids": []
}

References

Affected packages

crates.io / svix

Package

Name: svix; View open source insights on deps.dev
Purl: pkg:cargo/svix

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.17.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-w277-wpqf-rcfv/GHSA-w277-wpqf-rcfv.json"