CVE-2025-59058
BaseFortify
Publication date: 2025-09-12
Last updated on: 2025-09-15
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| junkurihara | httpsig | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-208 | Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in httpsig-rs (a Rust implementation of IETF RFC 9421 HTTP message signatures) prior to version 0.0.19 is that the HMAC signature comparison is not timing-safe. This means an attacker can exploit timing differences during signature verification to perform a timing attack and forge a HS256 signature.
How can this vulnerability impact me? :
This vulnerability allows an attacker to forge HS256 signatures by exploiting timing attacks during signature verification. This can lead to unauthorized actions or data manipulation in systems relying on httpsig-rs for signature verification.
What immediate steps should I take to mitigate this vulnerability?
Upgrade the httpsig-rs library to version 0.0.19 or later, as this version fixes the timing attack vulnerability in HMAC signature comparison.