PT-2022-20560 · Fastify · @Fastify/Bearer-Auth

Uzlopak

Published

2022-07-14

Updated

2022-07-20

CVE-2022-31142

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions @fastify/bearer-auth versions prior to 7.0.2 and 8.0.1 fastify-bearer-auth versions 5.0.1 through 6.0.3

Description The issue is related to the insecure use of crypto.timingSafeEqual in @fastify/bearer-auth, allowing a malicious attacker to estimate the length of one valid bearer token. According to RFC 6750, the bearer token has only base64 valid characters, reducing the range of characters for a brute force attack.

Recommendations For @fastify/bearer-auth versions prior to 7.0.2, upgrade to version 7.0.2 or later. For @fastify/bearer-auth versions prior to 8.0.1, upgrade to version 8.0.1 or later. For fastify-bearer-auth versions 5.0.1 through 6.0.3, upgrade to a patched version of @fastify/bearer-auth.

Exploit

Fix

Side Channel Attack

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-203CWE-208

Related Identifiers

CVE-2022-31142

GHSA-376V-XGJX-7MFR

Affected Products

@Fastify/Bearer-Auth

PT-2022-20560 · Fastify · @Fastify/Bearer-Auth

CVE-2022-31142

Weakness Enumeration

Related Identifiers

Affected Products

References · 12