GHSA-M4W9-HJFW-VWJ4

Vulnerability from github – Published: 2026-06-19 21:16 – Updated: 2026-06-19 21:16
VLAI
Summary
http4k: `HmacSha256.hash` (despite the `Hmac` naming) computed a plain unkeyed digest; clarified by deprecation in favour of `Sha256.hash` / `Sha256.hmac`
Details

Impact

The HmacSha256 class contained two functions: - hash(payload) — a plain unkeyed SHA-256 digest. The Hmac prefix in the class name was misleading; this function has no key parameter, so it could never have been an HMAC. - hmacSHA256(key, data) — a properly keyed HMAC-SHA256.

A reader who didn't engage with the function signature could in principle have assumed HmacSha256.hash(payload) was somehow keyed, but the absence of any key parameter made that misuse unlikely in practice.

Who is affected: any downstream caller who read the class name and used HmacSha256.hash as a message authentication code without noticing it takes no key. Verified at v6.47.2.0: zero internal misuse in http4k itself. Both production usages of HmacSha256.hash (AWS SigV4 canonical-request hashing in AwsSignatureV4Signer.kt and x-amz-content-sha256 in awsExtensions.kt) are AWS-spec-correct uses of plain SHA-256; every keyed hmacSHA256(key, data) call passes a real key. The advisory exists so any downstream caller relying on the misleadingly-named API knows to migrate.

Patches

Upgrade to 6.49.0.0 or later. The fix introduces: - Sha256.hash(input) — unkeyed digest (the actual behaviour HmacSha256.hash provided). - Sha256.hmac(key, input) — keyed HMAC-SHA256 (the behaviour the name implied).

HmacSha256 is deprecated. Existing callers continue to work via deprecation shims; migrate to Sha256.hash or Sha256.hmac per intent.

Workarounds

If you cannot upgrade and you need a real HMAC-SHA256, use javax.crypto.Mac.getInstance("HmacSHA256") with a SecretKeySpec. For an unkeyed SHA-256 digest, use java.security.MessageDigest.getInstance("SHA-256"). The keyed hmacSHA256(key, data) was always correctly implemented and is safe to use as-is.

References

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.http4k:http4k-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.49.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-345"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-19T21:16:03Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Impact\n\nThe `HmacSha256` class contained two functions:\n- `hash(payload)` \u2014 a plain unkeyed SHA-256 digest. The `Hmac` prefix in the class name was misleading; this function has no key parameter, so it could never have been an HMAC.\n- `hmacSHA256(key, data)` \u2014 a properly keyed HMAC-SHA256.\n\nA reader who didn\u0027t engage with the function signature could in principle have assumed `HmacSha256.hash(payload)` was somehow keyed, but the absence of any key parameter made that misuse unlikely in practice.\n\n**Who is affected:** any downstream caller who read the class name and used `HmacSha256.hash` as a message authentication code without noticing it takes no key. **Verified at v6.47.2.0: zero internal misuse in http4k itself.** Both production usages of `HmacSha256.hash` (AWS SigV4 canonical-request hashing in `AwsSignatureV4Signer.kt` and `x-amz-content-sha256` in `awsExtensions.kt`) are AWS-spec-correct uses of plain SHA-256; every keyed `hmacSHA256(key, data)` call passes a real key. The advisory exists so any downstream caller relying on the misleadingly-named API knows to migrate.\n\n### Patches\n\nUpgrade to **6.49.0.0** or later. The fix introduces:\n- `Sha256.hash(input)` \u2014 unkeyed digest (the actual behaviour `HmacSha256.hash` provided).\n- `Sha256.hmac(key, input)` \u2014 keyed HMAC-SHA256 (the behaviour the name implied).\n\n`HmacSha256` is deprecated. Existing callers continue to work via deprecation shims; migrate to `Sha256.hash` or `Sha256.hmac` per intent.\n\n### Workarounds\n\nIf you cannot upgrade and you need a real HMAC-SHA256, use `javax.crypto.Mac.getInstance(\"HmacSHA256\")` with a `SecretKeySpec`. For an unkeyed SHA-256 digest, use `java.security.MessageDigest.getInstance(\"SHA-256\")`. The keyed `hmacSHA256(key, data)` was always correctly implemented and is safe to use as-is.\n\n### References\n\n- Fix release: [v6.49.0.0](https://github.com/http4k/http4k/releases/tag/6.49.0.0)\n- Background: [RFC 2104 \u2014 HMAC: Keyed-Hashing for Message Authentication](https://datatracker.ietf.org/doc/html/rfc2104)",
  "id": "GHSA-m4w9-hjfw-vwj4",
  "modified": "2026-06-19T21:16:03Z",
  "published": "2026-06-19T21:16:03Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/http4k/http4k/security/advisories/GHSA-m4w9-hjfw-vwj4"
    },
    {
      "type": "WEB",
      "url": "https://datatracker.ietf.org/doc/html/rfc2104"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/http4k/http4k"
    },
    {
      "type": "WEB",
      "url": "https://github.com/http4k/http4k/releases/tag/6.49.0.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "http4k: `HmacSha256.hash` (despite the `Hmac` naming) computed a plain unkeyed digest; clarified by deprecation in favour of `Sha256.hash` / `Sha256.hmac`"
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…