PT-2026-53777 · Maven · Org.Http4K:Http4K-Security-Digest

Published

2026-06-19

·

Updated

2026-06-19

None

No severity ratings or metrics are available. When they are, we'll update the corresponding info on the page.

Impact

ServerFilters.DigestAuth and the underlying DigestAuthProvider both defaulted their nonceVerifier parameter to { true } — i.e. every nonce was accepted regardless of value, age, or prior use. Any deployment using the default configuration had no replay protection on Digest authentication; a captured Authorization: Digest … response could be replayed indefinitely against the same protected resource.
The nonce-verification mechanism in Digest auth is the primary anti-replay control — without it, Digest reduces to a credential bound only to a stale nonce string.
Who is affected: any application using ServerFilters.DigestAuth or DigestAuthProvider with the default nonceVerifier. The broken default has been present since DigestAuthProvider was introduced (2021). Exploitation requires the attacker to first capture a valid Digest response (network observation, log access, etc.) — non-trivial in modern TLS deployments but not impossible. Anyone running Digest auth with default config should treat upgrade as urgent.

Patches

LineFixed inEdition
v6.x (Community)6.48.0.0Community
v5.x (LTS)5.42.0.0Enterprise — contact enterprise@http4k.org (if Digest auth is present in your v5.x line)
v4.x (LTS)4.51.0.0Enterprise — contact enterprise@http4k.org (if Digest auth is present in your v4.x line)
The fix ([Break]) removes the default value for nonceVerifier from both ServerFilters.DigestAuth and DigestAuthProvider. Callers must now supply a real verifier explicitly — the broken default cannot be silently inherited.

Workarounds

For deployments that cannot upgrade immediately: explicitly supply a nonceVerifier that tracks issued nonces, enforces a TTL, and rejects re-use. Do not rely on the default.
Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

GHSA-C7JM-38GQ-H67H

Affected Products

Org.Http4K:Http4K-Security-Digest