CVE-2015-10004

HIGH

Token Validation - Timing Side-Channel

Title source: llm

Description

Token validation methods are susceptible to a timing side-channel during HMAC comparison. With a large enough number of requests over a low latency connection, an attacker may use this to determine the expected HMAC.

References (3)

[Patch, Third Party Advisory] https://github.com/robbert229/jwt/commit/ca1404ee6e83fcbafb66b09ed0d543850a15b654

[Issue Tracking, Third Party Advisory] https://github.com/robbert229/jwt/issues/12

[Patch, Vendor Advisory] https://pkg.go.dev/vuln/GO-2020-0023

Scores

CVSS v3 7.5

EPSS 0.0032

EPSS Percentile 55.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Classification

CWE

CWE-668

Status published

Affected Products (2)

json_web_token_project/json_web_token

robbert229/jwt < 0.0.0-20170426191122-ca1404ee6e83Go

Timeline

Published Dec 27, 2022

Tracked Since Feb 18, 2026