GHSA-gxhx-2686-5h9g: slack-go `SecretsVerifier` accepts empty signing secret without precondition

May 14, 2026

func NewSecretsVerifier(header http.Header, secret string) (SecretsVerifier, error) {
hash := hmac.New(sha256.New, []byte(secret))    // raw secret, no precondition
}

References

github.com/advisories/GHSA-gxhx-2686-5h9g
github.com/slack-go/slack/releases/tag/v0.23.1
github.com/slack-go/slack/security/advisories/GHSA-gxhx-2686-5h9g

Code Behaviors & Features

Detect and mitigate GHSA-gxhx-2686-5h9g with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →