CVE-2016-10535

Name of the Vulnerable Software and Affected Versions csrf-lite versions prior to 0.1.2

Description The issue concerns a timing attack vulnerability due to the use of a fail-first string comparison instead of a constant-time comparison when testing CSRF tokens. This allows an attacker to guess the secret in significantly fewer attempts, specifically no more than (16*18)288 guesses, as opposed to the 16^18 guesses that would be required without the timing attack. The vulnerability removes the exponential increase in entropy gained from increased secret length by providing per-character feedback on the correctness of a guess via miniscule timing differences.

Recommendations Update to version 0.1.2 or later.