Fredrik Meringdal

**Name of the Vulnerable Software and Affected Versions** svix versions prior to 1.17.0 **Description** The issue arises from an incorrect comparison of signatures of different lengths in the verify function, allowing an attacker to bypass signature verification by providing a shorter signature that matches the beginning of the actual signature. The `Webhook::verify` function is specifically affected, as it compares signatures only up to the length of the shorter signature. For an attack to be successful, the attacker would need to know that the victim uses the Rust library for verification and uses webhooks by a service that uses Svix, and then craft a malicious payload with the correct identifiers to trick the receivers. **Recommendations** For versions prior to 1.17.0, update to version 1.17.0 or later to resolve the issue. As a temporary workaround, consider disabling the `Webhook::verify` function until a patch is available. Restrict access to the `Webhook` module to minimize the risk of exploitation. Avoid using the `verify` function in the affected API endpoint until the issue is resolved.