Miggo Logo
Miggo Vulnerability Database
CVE-2015-10004

CVE-2015-10004:
robbert229/jwt's token validation methods vulnerable to a timing side-channel during HMAC comparison

7.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2015-10004
GHSA ID
GHSA-5vw4-v588-pgv8
EPSS Score
0.27457%
CWE
CWE-668
Published
12/28/2022
Updated
5/20/2024
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/robbert229/jwtgo< 0.0.0-20170426191122-ca1404ee6e830.0.0-20170426191122-ca1404ee6e83

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The commit diff shows a critical change from strings.Compare to hmac.Equal in algorithms.go's validateSignature method. strings.Compare performs a non-constant-time string comparison that leaks timing information about HMAC matching through early exit on mismatch. This matches the described vulnerability pattern of timing side-channels in HMAC validation. The direct replacement with a constant-time comparison function (hmac.Equal) in the patch confirms this was the vulnerable code path.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Tok*n v*li**tion m*t*o*s *r* sus**pti*l* to * timin* si**-***nn*l *urin* *M** *omp*rison. Wit* * l*r** *nou** num**r o* r*qu*sts ov*r * low l*t*n*y *onn**tion, *n *tt**k*r m*y us* t*is to **t*rmin* t** *xp**t** *M**.

Reasoning

T** *ommit *i** s*ows * *riti**l ***n** *rom strin*s.*omp*r* to *m**.*qu*l in *l*orit*ms.*o's v*li**t*Si*n*tur* m*t*o*. strin*s.*omp*r* p*r*orms * non-*onst*nt-tim* strin* *omp*rison t**t l**ks timin* in*orm*tion **out *M** m*t**in* t*rou** **rly *xi