CVE-2022-31142

Description

### Impact fastify-bearer-auth does not securely use crypto.timingSafeEqual. A malicious attacker could estimate the length of one valid bearer token. According to the corresponding RFC 6750, the bearer token has only base64 valid characters, reducing the range of characters for a brute force attack. All versions of fastify-bearer-auth are also affected. ### Patches We released: * v8.0.1 with a fix for the Fastify v4 line * v7.0.2 with a fix for the Fastify v3 line ### Workarounds There are no workarounds. Update your dependencies. ### References https://hackerone.com/reports/1633287 ### For more information If you have any questions or comments about this advisory: * Open an issue in [https://github.com/fastify/fastify-bearer-auth](https://github.com/fastify/fastify-bearer-auth) * Email us at [[email protected]](mailto:[email protected])

How to fix CVE-2022-31142

To remediate CVE-2022-31142, upgrade the affected package to a fixed version below.

• —upgrade to 7.0.2 or later
• —no fix listed

Is CVE-2022-31142 being exploited?

Low — EPSS is 0.7%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

• from 0, < 7.0.2
• >= 5.0.1, <= 6.0.3

CVSS scores

References (7)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-31142
• PATCHgithub.com/fastify/fastify-bearer-auth
• WEBgithub.com/fastify/fastify-bearer-auth/commit/0c468a616d7e56126dc468150f6a5a92e530b8e4
• WEBgithub.com/fastify/fastify-bearer-auth/commit/39353b15409ee99474545f615ffb16180cf3b716