GHSA-w277-wpqf-rcfv: Duplicate Advisory: Svix vulnerable to improper comparison of different-length signatures

February 6, 2024 (updated January 23, 2026)

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-747x-5m58-mq97. This link is maintained to preserve external references.

Original Description

The Webhook::verify function incorrectly compared signatures of different lengths - the two signatures would only be compared up to the length of the shorter signature. This allowed an attacker to pass in v1, as the signature, which would always pass verification.

References

github.com/advisories/GHSA-w277-wpqf-rcfv
github.com/svix/svix-webhooks
github.com/svix/svix-webhooks/commit/958821bd3b956d1436af65f70a0964d4ffb7daf6
github.com/svix/svix-webhooks/pull/1190
rustsec.org/advisories/RUSTSEC-2024-0010.html

Code Behaviors & Features

Detect and mitigate GHSA-w277-wpqf-rcfv with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →