Wiz
Vulnerability DatabaseCVE-2025-59058

CVE-2025-59058
Rust vulnerability analysis and mitigation

Overview

CVE-2025-59058 affects httpsig-rs, a Rust implementation of IETF RFC 9421 http message signatures. The vulnerability was discovered and disclosed on September 12, 2025, impacting versions prior to 0.0.19. The issue lies in the HMAC signature comparison implementation which is not timing-safe (GitHub Advisory).

Technical details

The vulnerability stems from SharedKey::sign() returning a Vec which has a non-constant-time equality implementation. The Hmac::finalize() returns a constant-time wrapper (CtOutput) which was discarded. The CVSS v3.1 base score is 5.9 (Medium) with vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N, indicating network attack vector with high complexity, requiring no privileges or user interaction (GitHub Advisory).

Impact

The vulnerability allows attackers to potentially forge signatures through timing attacks against systems using HS256 signature verification. The CVSS metrics indicate high impact on integrity while confidentiality and availability remain unaffected (GitHub Advisory).

Mitigation and workarounds

The vulnerability has been fixed in version 0.0.19 by implementing constant-time verification using the verify_slice method instead of comparing the output bytes directly. Users should upgrade to version 0.0.19 or later to mitigate this vulnerability (GitHub Commit).

Additional resources

SourceThis report was generated using AI

Related Rust vulnerabilities:

CVE ID

Severity

Score

Technologies

Component name

CISA KEV exploit

Has fix

Published date

GHSA-gfxp-f68g-8x78HIGH8.7
  • RustRust
  • libyml
NoNoSep 15, 2025
GHSA-95hm-pr6q-298wHIGH8.7
  • RustRust
  • fast-able
NoYesSep 15, 2025
GHSA-cvmj-47v9-35m9HIGH8.2
  • RustRust
  • fuser
NoYesSep 15, 2025
GHSA-hhw4-xg65-fp2xMEDIUM6.9
  • RustRust
  • serde_yml
NoNoSep 15, 2025
RUSTSEC-2025-0069N/AN/A
  • RustRust
  • daemonize
NoNoSep 14, 2025

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

Cloud Threat Landscape

A threat intelligence database

PEACH

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management
Get a demo