Miggo Logo
Miggo Vulnerability Database
GHSA-4g53-vp7q-gfjv

GHSA-4g53-vp7q-gfjv: constructEvent does not verify header

N/A

CVSS Score

Basic Information

CVE ID
-
GHSA ID
GHSA-4g53-vp7q-gfjv
EPSS Score
-
CWE
-
Published
5/28/2021
Updated
1/9/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
-
Package NameEcosystemVulnerable VersionsFirst Patched Version
@worker-tools/stripe-webhooknpm< 1.1.41.1.4

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The security patch modifies the constructEvent function to add 'await' before verifyHeader. This indicates the original vulnerability was caused by improper async handling of security checks. The advisory explicitly states constructEvent was the vulnerable entry point, and the patch evidence shows the function was missing critical async/await mechanics required for proper verification. In runtime detection, constructEvent would appear in profiler traces when processing unverified webhook payloads.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t *nyon* v*ri*yin* * Strip* w***ook r*qu*st vi* t*is li*r*ry's `*onstru*t*v*nt` *un*tion. ### P*t***s Up*r*** to *.*.*. ### Work*roun*s Us* `*w*it v*ri*y*****r(...)` *ir**tly inst*** o* `*onstru*t*v*nt`. ### R***r*n**s *ttps://*it*u*.*om

Reasoning

T** s**urity p*t** mo*i*i*s t** `*onstru*t*v*nt` *un*tion to *** '*w*it' ***or* `v*ri*y*****r`. T*is in*i**t*s t** ori*in*l vuln*r**ility w*s **us** *y improp*r *syn* **n*lin* o* s**urity ****ks. T** **visory *xpli*itly st*t*s `*onstru*t*v*nt` w*s t*