7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
0.001 Low
EPSS
Percentile
46.8%
fastify-bearer-auth does not securely use crypto.timingSafeEqual. A malicious attacker could estimate the length of one valid bearer token. According to the corresponding RFC 6750, the bearer token has only base64 valid characters, reducing the range of characters for a brute force attack.
All versions of fastify-bearer-auth are also affected.
We released:
There are no workarounds. Update your dependencies.
https://hackerone.com/reports/1633287
If you have any questions or comments about this advisory:
CPE | Name | Operator | Version |
---|---|---|---|
@fastify/bearer-auth | eq | 8.0.0 | |
@fastify/bearer-auth | lt | 7.0.2 | |
fastify-bearer-auth | ge | 5.0.1 | |
fastify-bearer-auth | le | 6.0.3 |
github.com/advisories/GHSA-376v-xgjx-7mfr
github.com/fastify/fastify-bearer-auth/commit/0c468a616d7e56126dc468150f6a5a92e530b8e4
github.com/fastify/fastify-bearer-auth/commit/39353b15409ee99474545f615ffb16180cf3b716
github.com/fastify/fastify-bearer-auth/commit/f921a0582dc83112039004a9b5041141b50c5b3f
github.com/fastify/fastify-bearer-auth/security/advisories/GHSA-376v-xgjx-7mfr
hackerone.com/reports/1633287
nvd.nist.gov/vuln/detail/CVE-2022-31142