CVE-2025-59058
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-12

Last updated on: 2025-09-15

Assigner: GitHub, Inc.

Description
httpsig-rs is a Rust implementation of IETF RFC 9421 http message signatures. Prior to version 0.0.19, the HMAC signature comparison is not timing-safe. This makes anyone who uses HS256 signature verification vulnerable to a timing attack that allows the attacker to forge a signature. Version 0.0.19 fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-12
Last Modified
2025-09-15
Generated
2026-06-16
AI Q&A
2025-09-12
EPSS Evaluated
2026-06-15
NVD
CVE-2025-59058
EUVD
EUVD-2025-29041
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
junkurihara httpsig *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-208 Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability in httpsig-rs (a Rust implementation of IETF RFC 9421 HTTP message signatures) prior to version 0.0.19 is that the HMAC signature comparison is not timing-safe. This means an attacker can exploit timing differences during signature verification to perform a timing attack and forge a HS256 signature.

Impact Analysis

This vulnerability allows an attacker to forge HS256 signatures by exploiting timing attacks during signature verification. This can lead to unauthorized actions or data manipulation in systems relying on httpsig-rs for signature verification.

Mitigation Strategies

Upgrade the httpsig-rs library to version 0.0.19 or later, as this version fixes the timing attack vulnerability in HMAC signature comparison.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-59058. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart