4.3

CVSS Score

Basic Information

CVE ID

CVE-2016-10535

GHSA ID

GHSA-hjhr-r3gq-qvp6

EPSS Score

0.54157%

CWE

CWE-208

Published

2/18/2019

Updated

1/9/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2016-10535

CVE-2016-10535: Timing Attack in csrf-lite

Affected versions of csrf-lite are vulnerable to timing attacks as a result of testing CSRF tokens via a fail-early comparison instead of a constant-time comparison.

Timing attacks remove the exponential increase in entropy gained from increased secret length, by providing per-character feedback on the correctness of a guess via miniscule timing differences.

Under favorable network conditions, an attacker can exploit this to guess the secret in no more than (16*18)288 guesses, instead of the 16^18 guesses required were the timing attack not present.

Recommendation

Update to version 0.1.2 or later.

(GitHub Advisory)

4.3

CVSS Score

Basic Information

CVE ID

CVE-2016-10535

GHSA ID

GHSA-hjhr-r3gq-qvp6

EPSS Score

0.54157%

CWE

CWE-208

Published

2/18/2019

Updated

1/9/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

AV:N/AC:M/Au:N/C:P/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
csrf-lite	npm	< 0.1.2	0.1.2

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The security patch shows the vulnerable code was in the validation function where CSRF tokens were compared using === operator. The function was renamed from csrf.valid to csrf.validate() in the patch, but both point to the same validation logic. This is the exact location where attackers could exploit timing differences in string comparison. The commit replaces the vulnerable comparison with scmp's constant-time comparison, confirming this was the attack surface.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*****t** v*rsions o* `*sr*-lit*` *r* vuln*r**l* to timin* *tt**ks *s * r*sult o* t*stin* *SR* tok*ns vi* * **il-**rly *omp*rison inst*** o* * *onst*nt-tim* *omp*rison. Timin* *tt**ks r*mov* t** *xpon*nti*l in*r**s* in *ntropy **in** *rom in*r**s**

Reasoning

T** s**urity p*t** s*ows t** vuln*r**l* *o** w*s in t** v*li**tion *un*tion w**r* *SR* tok*ns w*r* *omp*r** usin* === op*r*tor. T** *un*tion w*s r*n*m** *rom `*sr*.v*li*` to `*sr*.v*li**t*()` in t** p*t**, *ut *ot* point to t** s*m* v*li**tion lo*i*.

4.3

Basic Information

Concerned about an active attack path?

CVE-2016-10535: Timing Attack in csrf-lite

Recommendation

4.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI