CVE-2022-31142 – @fastify/bearer-auth

Package

Manager: npm
Name: @fastify/bearer-auth
Vulnerable Version: >=0 <7.0.2 || =8.0.0 || >=8.0.0 <8.0.1

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00607 pctl0.68738

Details

fastify-bearer-auth vulnerable to Timing Attack Vector ### Impact fastify-bearer-auth does not securely use crypto.timingSafeEqual. A malicious attacker could estimate the length of one valid bearer token. According to the corresponding RFC 6750, the bearer token has only base64 valid characters, reducing the range of characters for a brute force attack. All versions of fastify-bearer-auth are also affected. ### Patches We released: * v8.0.1 with a fix for the Fastify v4 line * v7.0.2 with a fix for the Fastify v3 line ### Workarounds There are no workarounds. Update your dependencies. ### References https://hackerone.com/reports/1633287 ### For more information If you have any questions or comments about this advisory: * Open an issue in [https://github.com/fastify/fastify-bearer-auth](https://github.com/fastify/fastify-bearer-auth) * Email us at [hello@matteocollina.com](mailto:hello@matteocollina.com)

Metadata

Created: 2022-07-15T19:14:27Z
Modified: 2022-07-21T15:57:26Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-376v-xgjx-7mfr/GHSA-376v-xgjx-7mfr.json
CWE IDs: ["CWE-203", "CWE-208"]
Alternative ID: GHSA-376v-xgjx-7mfr
Finding: F063
Auto approve: 1