CVE-2022-29185

Name of the Vulnerable Software and Affected Versions totp-rs versions prior to 1.1.0

Description The issue concerns a Rust library used for creating 2FA authentication tokens based on time-based one-time passwords (TOTP). Prior to version 1.1.0, token comparison was not performed in constant time, which could theoretically allow an attacker to guess the value of a TOTP token and reuse it within the same time window, provided they already know the password. The library now uses constant-time comparison starting from version 1.1.0.

Recommendations For versions prior to 1.1.0, update to version 1.1.0 or later to ensure token comparison is performed in constant time, mitigating the risk of token guessing and reuse. As a temporary workaround, consider restricting access to sensitive operations that rely on TOTP tokens until the update can be applied.