CVE-2025-59058 | THREATINT

Description

httpsig-rs is a Rust implementation of IETF RFC 9421 http message signatures. Prior to version 0.0.19, the HMAC signature comparison is not timing-safe. This makes anyone who uses HS256 signature verification vulnerable to a timing attack that allows the attacker to forge a signature. Version 0.0.19 fixes the issue.

PUBLISHED Reserved 2025-09-08 | Published 2025-09-12 | Updated 2025-09-12 | Assigner GitHub_M

MEDIUM: 5.9CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

Problem types

CWE-208: Observable Timing Discrepancy

Product status

< 0.0.19

affected

References

github.com/...sig-rs/security/advisories/GHSA-q7pg-9pr4-mrp2

github.com/...ommit/fc095b6ce6043bb808f5d9c4379cf697899cb458

cve.org (CVE-2025-59058)

nvd.nist.gov (CVE-2025-59058)

Download JSON