Headline
GHSA-q7pg-9pr4-mrp2: httpsig-rs: HMAC verification is vulnerable to timing attack
Summary
HMAC signature comparison is not timing-safe and is vulnerable to timing attacks.
Details
SharedKey::sign() returns a Vec<u8> which has a non-constant-time equality implementation.
Hmac::finalize() returns a constant-time wrapper (CtOutput) which was discarded. Alternatively, Hmac has a constant-time verify() method.
The problem reported here is due to the following lines in SharedKey::sign() of the previous code:
let mut mac = HmacSha256::new_from_slice(key).unwrap();
mac.update(data);
Ok(mac.finalize().into_bytes().to_vec())
and the merged update changes the third line to directly verify with verify_slice.
Impact
Anyone who uses HS256 signature verification is vulnerably to Timing Attack that allows the attacker to forge a signature.
Summary
HMAC signature comparison is not timing-safe and is vulnerable to timing attacks.
Details
SharedKey::sign() returns a Vec<u8> which has a non-constant-time equality implementation.
Hmac::finalize() returns a constant-time wrapper (CtOutput) which was discarded. Alternatively, Hmac has a constant-time verify() method.
The problem reported here is due to the following lines in SharedKey::sign() of the previous code:
let mut mac = HmacSha256::new_from_slice(key).unwrap(); mac.update(data); Ok(mac.finalize().into_bytes().to_vec())
and the merged update changes the third line to directly verify with verify_slice.
Impact
Anyone who uses HS256 signature verification is vulnerably to Timing Attack that allows the attacker to forge a signature.
References
- GHSA-q7pg-9pr4-mrp2
- https://nvd.nist.gov/vuln/detail/CVE-2025-59058
- junkurihara/httpsig-rs@fc095b6