CVE-2024-45607
MEDIUMwhatsapp-api-js 4.0.0-4.0.2 - Improper Verification of Cryptographic Signature in verifyRequestSignature
Title source: llmDescription
whatsapp-api-js is a TypeScript server agnostic Whatsapp's Official API framework. It's possible to check the payload validation using the WhatsAppAPI.verifyRequestSignature and expect false when the signature is valid. Incorrect Access Control, anyone using the post or verifyRequestSignature methods to handle messages is impacted. This vulnerability is fixed in 4.0.3.
References (3)
Core 3
Core References
Vendor Advisory x_refsource_confirm
https://github.com/Secreto31126/whatsapp-api-js/security/advisories/GHSA-mwhf-vhr5-7j23
Patch x_refsource_misc
https://github.com/Secreto31126/whatsapp-api-js/pull/371
Scores
CVSS v3
5.8
EPSS
0.1289
EPSS Percentile
95.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-347
Status
published
Products (2)
npm/whatsapp-api-js
4.0.0 - 4.0.3npm
secreto31126/whatsapp-api-js
4.0.0 - 4.0.3
Published
Sep 12, 2024
Tracked Since
Feb 18, 2026