7.5

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2015-10004

GHSA ID

GHSA-5vw4-v588-pgv8

EPSS Score

0.27457%

CWE

CWE-668

Published

12/28/2022

Updated

5/20/2024

KEV Status

Technology

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2015-10004

CVE-2015-10004: robbert229/jwt's token validation methods vulnerable to a timing side-channel during HMAC comparison

Token validation methods are susceptible to a timing side-channel during HMAC comparison. With a large enough number of requests over a low latency connection, an attacker may use this to determine the expected HMAC.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2015-10004

CVE-2015-10004:

7.5

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2015-10004

GHSA ID

GHSA-5vw4-v588-pgv8

EPSS Score

0.27457%

CWE

CWE-668

Published

12/28/2022

Updated

5/20/2024

KEV Status

Technology

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/robbert229/jwt	go	< 0.0.0-20170426191122-ca1404ee6e83	0.0.0-20170426191122-ca1404ee6e83

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The commit diff shows a critical change from strings.Compare to hmac.Equal in algorithms.go's validateSignature method. strings.Compare performs a non-constant-time string comparison that leaks timing information about HMAC matching through early exit on mismatch. This matches the described vulnerability pattern of timing side-channels in HMAC validation. The direct replacement with a constant-time comparison function (hmac.Equal) in the patch confirms this was the vulnerable code path.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

7.5

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2015-10004: robbert229/jwt's token validation methods vulnerable to a timing side-channel during HMAC comparison

CVE-2015-10004:

7.5

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Basic Information

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

7.5

7.5

CVE-2015-10004: robbert229/jwt's token validation methods vulnerable to a timing side-channel during HMAC comparison

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI