Security Advisory

CVE-2025-59058

CVE vulnerability detail — eXtreme Datacenter Security Operations

Published 2025-09-12 13:10:11
Last updated 2025-09-12 13:45:48
Assigner GitHub_M
State PUBLISHED

Description

httpsig-rs is a Rust implementation of IETF RFC 9421 http message signatures. Prior to version 0.0.19, the HMAC signature comparison is not timing-safe. This makes anyone who uses HS256 signature verification vulnerable to a timing attack that allows the attacker to forge a signature. Version 0.0.19 fixes the issue.