NodeJS/cookie-signature/1.0.3


Sign and unsign cookies

https://www.npmjs.com/package/cookie-signature
MIT

2 Security Vulnerabilities

cookie-signature Timing Attack

Published date: 2020-01-06T18:44:10Z
CVE: CVE-2016-1000236
Links:

Affected versions of cookie-signature are vulnerable to timing attacks as a result of using a fail-early comparison instead of a constant-time comparison.

Timing attacks remove the exponential increase in entropy gained from increased secret length, by providing per-character feedback on the correctness of a guess via miniscule timing differences.

Under favorable network conditions, an attacker can exploit this to guess the secret in no more than charset*length guesses, instead of charset^length guesses required were the timing attack not present.

Recommendation

Update to 1.0.4 or later.

Affected versions: ["0.0.1", "1.0.0", "1.0.1", "1.0.2", "1.0.3"]
Secure versions: [1.0.6, 1.1.0, 1.2.0, 1.2.1, 1.0.7, 1.2.2]
Recommendation: Update to version 1.2.2.

Timing attack vulnerability

Published date: 2016-08-29
CVEs: ["CVE-2016-1000236"]
CVSS Score: 5.4
CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:N/A:N
Coordinating vendor: ^Lift Security
Links:

Cookie-signature is a library for signing cookies.

Versions before 1.0.4 were vulnerable to timing attacks.

Affected versions: ["0.0.1", "1.0.0", "1.0.1", "1.0.2", "1.0.3", "1.0.4", "1.0.5"]
Secure versions: [1.0.6, 1.1.0, 1.2.0, 1.2.1, 1.0.7, 1.2.2]
Recommendation: Upgrade to 1.0.6 or latest

13 Other Versions

Version License Security Released
1.0.4 MIT 1 2014-06-25 - 22:14 over 10 years
1.0.5 MIT 1 2014-09-05 - 23:22 over 10 years
1.0.0 MIT 2 2013-04-12 - 19:07 over 11 years
1.0.2 MIT 2 2014-01-29 - 00:00 almost 11 years
0.0.1 MIT 2 2012-10-15 - 15:53 about 12 years
1.0.1 MIT 2 2013-04-15 - 19:29 over 11 years
1.0.3 MIT 2 2014-01-29 - 01:15 almost 11 years
1.0.6 MIT 2015-02-03 - 22:23 almost 10 years
1.1.0 MIT 2018-01-19 - 04:32 almost 7 years
1.2.0 MIT 2022-02-17 - 20:23 almost 3 years
1.2.1 MIT 2023-02-27 - 17:55 almost 2 years
1.0.7 MIT 2023-04-12 - 23:59 over 1 year
1.2.2 MIT 2024-10-29 - 19:39 about 1 month