Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-q257-vv4p-fg92

GitHub Security Advisory

Header Forgery in http-signature

✓ GitHub Reviewed HIGH Has CVE
View on GitHub

Advisory Details

Affected versions of `http-signature` contain a vulnerability which can allow an attacker in a privileged network position to modify header names and change the meaning of the request, without requiring an updated signature.

This problem occurs because vulnerable versions of `http-signature` sign the contents of headers, but not the header names.

## Proof of Concept

Consider this to be the initial, untampered request:
```http
POST /pay HTTP/1.1
Host: example.com
Date: Thu, 05 Jan 2012 21:31:40 GMT
X-Payment-Source: [email protected]
X-Payment-Destination: [email protected]
Authorization: Signature keyId="Test",algorithm="rsa-sha256",headers="x-payment-source x-payment-destination" MDyO5tSvin5...
```

And the request is intercepted and tampered as follows:
```http
X-Payment-Source: [email protected] // Emails switched
X-Payment-Destination: [email protected]
Authorization: Signature keyId="Test",algorithm="rsa-sha256",headers="x-payment-destination x-payment-source" MDyO5tSvin5...
```

In the resulting responses, both requests would pass signature verification without issue.
```
[email protected]\n
[email protected]\n
```

## Recommendation

Update to version 0.10.0 or higher.

Affected Packages

npm http-signature
Affected versions: 0 (fixed in 0.10.0)

Related CVEs

CVE-2017-16005

Key Information

GHSA ID
GHSA-q257-vv4p-fg92
Published
November 9, 2018 5:49 PM
Last Modified
September 8, 2023 11:24 PM
CVSS Score
7.5 /10
Primary Ecosystem
npm
Primary Package
http-signature
GitHub Reviewed
✓ Yes

Dataset

Last updated: August 31, 2025 6:33 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.