CVE-2022-31142
📋 TL;DR
This vulnerability in @fastify/bearer-auth allows attackers to perform timing attacks to estimate valid bearer token lengths, reducing the search space for brute force attacks. It affects users of @fastify/bearer-auth prior to versions 7.0.2 and 8.0.1, and fastify-bearer-auth versions 5.0.1 through 6.0.3. The vulnerability stems from insecure use of crypto.timingSafeEqual.
💻 Affected Systems
- @fastify/bearer-auth
- fastify-bearer-auth
📦 What is this software?
Bearer Auth by Fastify
Bearer Auth by Fastify
⚠️ Risk & Real-World Impact
Worst Case
Attackers could eventually brute force valid bearer tokens, gaining unauthorized access to protected resources and potentially compromising user accounts or sensitive data.
Likely Case
Attackers could reduce brute force attack time by learning token length information, making token guessing more feasible over time.
If Mitigated
With proper network controls and monitoring, impact is limited to increased risk of token compromise rather than immediate breach.
🎯 Exploit Status
Timing attacks require multiple requests and statistical analysis, but tools exist to automate this. No public exploit code is known.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: @fastify/bearer-auth 7.0.2 or 8.0.1
Vendor Advisory: https://github.com/fastify/fastify-bearer-auth/security/advisories/GHSA-376v-xgjx-7mfr
Restart Required: Yes
Instructions:
1. Update package.json to use @fastify/bearer-auth version 7.0.2 or 8.0.1. 2. Run npm update @fastify/bearer-auth or yarn upgrade @fastify/bearer-auth. 3. Restart your Fastify application.
🔧 Temporary Workarounds
No known workarounds
allThe vulnerability is in the core authentication logic and cannot be mitigated without patching.
🧯 If You Can't Patch
- Implement rate limiting on authentication endpoints to reduce timing attack effectiveness
- Use additional authentication layers (IP whitelisting, WAF rules) to protect vulnerable endpoints
🔍 How to Verify
Check if Vulnerable:
Check package.json for @fastify/bearer-auth version <7.0.2 or <8.0.1, or fastify-bearer-auth version between 5.0.1 and 6.0.3Check Version:
npm list @fastify/bearer-auth or npm list fastify-bearer-authVerify Fix Applied:
Verify package.json shows @fastify/bearer-auth version 7.0.2 or higher, or 8.0.1 or higher📡 Detection & Monitoring
Log Indicators:
- Multiple failed authentication attempts with varying token lengths
- Unusual timing patterns in authentication requests
Network Indicators:
- High volume of requests to authentication endpoints with incremental token variations
SIEM Query:
source="application_logs" AND (message="authentication failed" OR message="bearer token") | stats count by src_ip, token_length🔗 References
- https://github.com/fastify/fastify-bearer-auth/commit/0c468a616d7e56126dc468150f6a5a92e530b8e4
- https://github.com/fastify/fastify-bearer-auth/commit/39353b15409ee99474545f615ffb16180cf3b716
- https://github.com/fastify/fastify-bearer-auth/commit/f921a0582dc83112039004a9b5041141b50c5b3f
- https://github.com/fastify/fastify-bearer-auth/security/advisories/GHSA-376v-xgjx-7mfr
- https://hackerone.com/reports/1633287
- https://github.com/fastify/fastify-bearer-auth/commit/0c468a616d7e56126dc468150f6a5a92e530b8e4
- https://github.com/fastify/fastify-bearer-auth/commit/39353b15409ee99474545f615ffb16180cf3b716
- https://github.com/fastify/fastify-bearer-auth/commit/f921a0582dc83112039004a9b5041141b50c5b3f
- https://github.com/fastify/fastify-bearer-auth/security/advisories/GHSA-376v-xgjx-7mfr
- https://hackerone.com/reports/1633287
