CVE-2024-21491

Name of the Vulnerable Software and Affected Versions svix versions prior to 1.17.0

Description The issue arises from an incorrect comparison of signatures of different lengths in the verify function, allowing an attacker to bypass signature verification by providing a shorter signature that matches the beginning of the actual signature. The Webhook::verify function is specifically affected, as it compares signatures only up to the length of the shorter signature. For an attack to be successful, the attacker would need to know that the victim uses the Rust library for verification and uses webhooks by a service that uses Svix, and then craft a malicious payload with the correct identifiers to trick the receivers.

Recommendations For versions prior to 1.17.0, update to version 1.17.0 or later to resolve the issue. As a temporary workaround, consider disabling the Webhook::verify function until a patch is available. Restrict access to the Webhook module to minimize the risk of exploitation. Avoid using the verify function in the affected API endpoint until the issue is resolved.