CVE-2017-16005

Name of the Vulnerable Software and Affected Versions: http-signature versions <=0.9.11

Description: The issue allows an attacker in a privileged network position to modify header names and change the meaning of the request without requiring an updated signature. This occurs because vulnerable versions of http-signature sign the contents of headers, but not the header names. For example, an attacker can intercept a request and swap header names, such as X-Payment-Source and X-Payment-Destination, without changing the signature. This can lead to unintended changes in the request's meaning.

Recommendations: Update to version 0.10.0 or higher. As a temporary workaround, consider restricting access to sensitive endpoints, such as /pay, to minimize the risk of exploitation. Avoid using the Authorization header with vulnerable versions of http-signature until the issue is resolved.