RUSTSEC-2024-0010: 
Rust vulnerability analysis and mitigation

The svix package versions before 1.17.0 contain an Authentication Bypass vulnerability (CVE-2024-21491) due to an issue in the verify function where signatures of different lengths are incorrectly compared. The vulnerability was discovered in February 2024 and affects the Rust implementation of the svix webhook verification library (NVD).

The vulnerability stems from a flaw in the signature verification process where signatures of different lengths are only compared up to the length of the shorter signature. This implementation error allows an attacker to bypass signature verification by providing a shorter signature that matches the beginning of the actual signature. The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N (NVD).

An attacker could potentially bypass webhook signature verification by providing a truncated signature that matches the beginning of the valid signature. However, successful exploitation requires knowledge that the victim uses the Rust library for verification and uses webhooks by a service that uses Svix. The attacker would also need to craft a malicious payload containing the correct identifiers to trick the receivers (NVD).

The vulnerability has been fixed in version 1.17.0 of the svix package. The fix ensures that the length of signatures is taken into account during comparison, requiring exact length matches before proceeding with the verification process (GitHub PR).