- Reported
-
- Issued
-
- Package
-
svix
(crates.io)
- Type
-
Vulnerability
- Categories
-
- Aliases
-
- References
-
- Patched
-
- Affected Functions
- Version
svix::webhooks::Webhook::verify-
Description
The Webhook::verify function incorrectly compared signatures of
different lengths - the two signatures would only be compared up to
the length of the shorter signature. This allowed an attacker to
pass in v1, as the signature, which would always pass verification.
Advisory available under CC0-1.0
license.