NodeJS/cookie-signature/1.0.0
Sign and unsign cookies
https://www.npmjs.com/package/cookie-signature
MIT
2 Security Vulnerabilities
cookie-signature Timing Attack
- https://nvd.nist.gov/vuln/detail/CVE-2016-1000236
- https://github.com/advisories/GHSA-92vm-wfm5-mxvv
- https://github.com/tj/node-cookie-signature/commit/2c4df6b6cee540f30876198cd0b5bebf28528c07
- https://github.com/tj/node-cookie-signature/commit/4cc5e21e7f59a4ea0b51cd5e9634772d48fab590
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=838618
- https://bugzilla.redhat.com/show_bug.cgi?id=1371409
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-1000236
- https://security-tracker.debian.org/tracker/CVE-2016-1000236
- https://travis-ci.com/nodejs/security-wg/builds/76423102
- https://www.mail-archive.com/secure-testing-team@lists.alioth.debian.org/msg06583.html
- https://github.com/tj/node-cookie-signature/commit/39791081692e9e14aa62855369e1c7f80fbfd50e
- https://www.npmjs.com/advisories/134
Affected versions of cookie-signature
are vulnerable to timing attacks as a result of using a fail-early comparison instead of a constant-time comparison.
Timing attacks remove the exponential increase in entropy gained from increased secret length, by providing per-character feedback on the correctness of a guess via miniscule timing differences.
Under favorable network conditions, an attacker can exploit this to guess the secret in no more than charset*length
guesses, instead of charset^length
guesses required were the timing attack not present.
Recommendation
Update to 1.0.4 or later.
Timing attack vulnerability
Cookie-signature is a library for signing cookies.
Versions before 1.0.4 were vulnerable to timing attacks.
12 Other Versions
Version | License | Security | Released | |
---|---|---|---|---|
1.2.1 | MIT | 2023-02-27 - 17:55 | over 1 year | |
1.2.0 | MIT | 2022-02-17 - 20:23 | over 2 years | |
1.1.0 | MIT | 2018-01-19 - 04:32 | over 6 years | |
1.0.7 | MIT | 2023-04-12 - 23:59 | over 1 year | |
1.0.6 | MIT | 2015-02-03 - 22:23 | over 9 years | |
1.0.5 | MIT | 1 | 2014-09-05 - 23:22 | about 10 years |
1.0.4 | MIT | 1 | 2014-06-25 - 22:14 | over 10 years |
1.0.3 | MIT | 2 | 2014-01-29 - 01:15 | over 10 years |
1.0.2 | MIT | 2 | 2014-01-29 - 00:00 | over 10 years |
1.0.1 | MIT | 2 | 2013-04-15 - 19:29 | over 11 years |
1.0.0 | MIT | 2 | 2013-04-12 - 19:07 | over 11 years |
0.0.1 | MIT | 2 | 2012-10-15 - 15:53 | almost 12 years |