PT-2026-53777 · Maven · Org.Http4K:Http4K-Security-Digest
Published
2026-06-19
·
Updated
2026-06-19
None
No severity ratings or metrics are available. When they are, we'll update the corresponding info on the page.
Impact
ServerFilters.DigestAuth and the underlying DigestAuthProvider both defaulted their nonceVerifier parameter to { true } — i.e. every nonce was accepted regardless of value, age, or prior use. Any deployment using the default configuration had no replay protection on Digest authentication; a captured Authorization: Digest … response could be replayed indefinitely against the same protected resource.The nonce-verification mechanism in Digest auth is the primary anti-replay control — without it, Digest reduces to a credential bound only to a stale nonce string.
Who is affected: any application using
ServerFilters.DigestAuth or DigestAuthProvider with the default nonceVerifier. The broken default has been present since DigestAuthProvider was introduced (2021). Exploitation requires the attacker to first capture a valid Digest response (network observation, log access, etc.) — non-trivial in modern TLS deployments but not impossible. Anyone running Digest auth with default config should treat upgrade as urgent.Patches
| Line | Fixed in | Edition |
|---|---|---|
| v6.x (Community) | 6.48.0.0 | Community |
| v5.x (LTS) | 5.42.0.0 | Enterprise — contact enterprise@http4k.org (if Digest auth is present in your v5.x line) |
| v4.x (LTS) | 4.51.0.0 | Enterprise — contact enterprise@http4k.org (if Digest auth is present in your v4.x line) |
The fix (
[Break]) removes the default value for nonceVerifier from both ServerFilters.DigestAuth and DigestAuthProvider. Callers must now supply a real verifier explicitly — the broken default cannot be silently inherited.Workarounds
For deployments that cannot upgrade immediately: explicitly supply a
nonceVerifier that tracks issued nonces, enforces a TTL, and rejects re-use. Do not rely on the default. Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Org.Http4K:Http4K-Security-Digest