| packages: |
| - module: github.com/robbert229/jwt |
| symbols: |
| - Algorithm.validateSignature |
| versions: |
| - fixed: 0.0.0-20170426191122-ca1404ee6e83 |
| description: | |
| Token validation methods are susceptible to a timing side-channel |
| during HMAC comparison. With a large enough number of requests |
| over a low latency connection, an attacker may use this to determine |
| the expected HMAC. |
| published: 2021-04-14T20:04:52Z |
| links: |
| commit: https://github.com/robbert229/jwt/commit/ca1404ee6e83fcbafb66b09ed0d543850a15b654 |
| context: |
| - https://github.com/robbert229/jwt/issues/12 |