CVE-2024-45607— whatsapp-api-js fails to validate message's signature

whatsapp-api-js fails to validate message's signature

whatsapp-api-js is a TypeScript server agnostic Whatsapp's Official API framework. It's possible to check the payload validation using the WhatsAppAPI.verifyRequestSignature and expect false when the signature is valid. Incorrect Access Control, anyone using the post or verifyRequestSignature methods to handle messages is impacted. This vulnerability is fixed in 4.0.3.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N

密码学签名的验证不恰当

whatsapp-api-js 数据伪造问题漏洞

whatsapp-api-js是Tomás Raiti个人开发者的一个与 TypeScript 服务器无关的 Whatsapp 的官方 API 框架。 whatsapp-api-js 4.0.3之前版本存在数据伪造问题漏洞，该漏洞源于使用WhatsAppAPI.verifyRequestSignature方法时对有效签名错误地返回false，这会导致不正确的访问控制。

N/A

N/A