Primary

Context

httpsig-rs HMAC Timing Attack Vulnerability in Signature Verification

Vulnerability

A timing attack vulnerability has been identified in httpsig-rs, a Rust implementation of IETF RFC 9421 HTTP message signatures. This issue affects versions prior to 0.0.19, where the HMAC signature comparison is not timing-safe. As a result, users relying on HS256 signature verification are vulnerable to this timing attack, which could allow an attacker to forge a signature.

Impact

Exploitation of this vulnerability allows for timing attacks on HMAC signature verification, enabling an attacker to forge signatures.

Remediation

Users can upgrade to httpsig-rs version 0.0.19 or later to address this vulnerability.

Added: Sep 12, 2025, 2:19 PM

Updated: Sep 12, 2025, 2:19 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

8.1

remediation

7.7

relevance

0.5

threat

3.2

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

8.1

remediation

7.7

relevance

0.5

threat

3.2

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

httpsig-rs HMAC Timing Attack Vulnerability in Signature Verification

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating