{"uuid": "96213dcb-a668-4a0f-bff6-2b44798a3e86", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "GHSA-GXHX-2686-5H9G", "type": "seen", "source": "https://gist.github.com/alon710/e4391bc7fc64c5967eebed881d2ad7d3", "content": "# GHSA-GXHX-2686-5H9G: GHSA-gxhx-2686-5h9g: Signature Verification Bypass in slack-go via Empty SecretsVerifier\n\n> **CVSS Score:** 7.7\n> **Published:** 2026-05-14\n> **Full Report:** https://cvereports.com/reports/GHSA-GXHX-2686-5H9G\n\n## Summary\nThe slack-go library prior to version 0.23.1 contains a cryptographic signature verification vulnerability. The SecretsVerifier component fails to validate whether the provided Slack signing secret is empty. Applications initializing this verifier with an empty string\u2014such as from a missing environment variable\u2014allow attackers to bypass request authentication by forging signatures with an empty HMAC key.\n\n## TL;DR\nslack-go < 0.23.1 permits empty signing secrets, enabling attackers to bypass Slack request verification by generating valid HMAC signatures using an empty key if the application environment is misconfigured.\n\n## Technical Details\n\n- **CWE ID**: CWE-347\n- **Attack Vector**: Network\n- **CVSS Score**: 7.7\n- **Impact**: Authentication Bypass / Origin Forgery\n- **Exploit Status**: none\n- **Authentication Required**: None\n\n## Affected Systems\n\n- Applications utilizing github.com/slack-go/slack for Slack webhook and Slash command verification\n- Go services with misconfigured or unset SLACK_SIGNING_SECRET environment variables\n- **github.com/slack-go/slack**: < 0.23.1 (Fixed in: `0.23.1`)\n\n## Mitigation\n\n- Upgrade slack-go to version 0.23.1 or later\n- Implement explicit length validation on environment variables used for cryptographic keys\n- Adopt fail-closed startup routines for security configurations\n\n**Remediation Steps:**\n1. Verify the current version of github.com/slack-go/slack in the go.mod file\n2. Run `go get github.com/slack-go/slack@v0.23.1` to update the dependency\n3. Add precondition checks in the application code to verify the signing secret is not an empty string before calling NewSecretsVerifier\n4. Audit container orchestration and deployment manifests to ensure SLACK_SIGNING_SECRET is correctly populated\n5. Recompile and redeploy the application\n\n## References\n\n- [GitHub Security Advisory GHSA-gxhx-2686-5h9g](https://github.com/slack-go/slack/security/advisories/GHSA-gxhx-2686-5h9g)\n- [Official Release (v0.23.1)](https://github.com/slack-go/slack/releases/tag/v0.23.1)\n- [Package Repository](https://github.com/slack-go/slack)\n- [OSV Record](https://osv.dev/vulnerability/GHSA-gxhx-2686-5h9g)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/GHSA-GXHX-2686-5H9G) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-05-15T07:40:29.000000Z"}