CVE-2015-10004: 
vulnerability analysis and mitigation

CVE-2015-10004 affects the JSON Web Token (JWT) implementation in github.com/robbert229/jwt. The vulnerability was discovered and disclosed in December 2022, with the fix being implemented in version v0.0.0-20170426191122-ca1404ee6e83. The vulnerability affects token validation methods that are susceptible to timing side-channel attacks during HMAC comparison (NVD, Go Vuln DB).

The vulnerability exists in the HMAC comparison functionality where the implementation uses string comparison instead of a constant-time comparison function. The vulnerability has a CVSS v3.1 Base Score of 7.5 (HIGH) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. The issue stems from using strings.Compare() for HMAC validation, which is susceptible to timing analysis (Github Commit).

With a large enough number of requests over a low latency connection, an attacker may use timing differences to determine the expected HMAC. This could potentially lead to token forgery by allowing attackers to deduce the correct signature through careful timing analysis (NVD).

The vulnerability was fixed by replacing the string comparison (strings.Compare) with the constant-time comparison function hmac.Equal(). Users should upgrade to version v0.0.0-20170426191122-ca1404ee6e83 or later which contains the security fix (Github Commit).