Description
httpsig-hyper is a hyper extension for http message signatures. An issue was discovered in `httpsig-hyper` prior to version 0.0.23 where Digest header verification could incorrectly succeed due to misuse of Rust's `matches!` macro. Specifically, the comparison `if matches!(digest, _expected_digest)` treated `_expected_digest` as a pattern binding rather than a value comparison, resulting in unconditional success of the match expression. As a consequence, digest verification could incorrectly return success even when the computed digest did not match the expected value. Applications relying on Digest verification as part of HTTP message signature validation may therefore fail to detect message body modification. The severity depends on how the library is integrated and whether additional signature validation layers are enforced. This issue has been fixed in `httpsig-hyper` 0.0.23. The fix replaces the incorrect `matches!` usage with proper value comparison and additionally introduces constant-time comparison for digest verification as defense-in-depth. Regression tests have also been added to prevent reintroduction of this issue. Users are strongly advised to upgrade to the patched version. There is no reliable workaround without upgrading. Users who cannot immediately upgrade should avoid relying solely on Digest verification for message integrity and ensure that full HTTP message signature verification is enforced at the application layer.
Published: 2026-02-19
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Message integrity bypass due to incorrect digest verification
Action: Immediate Patch
AI Analysis

Impact

This vulnerability arises from the misuse of Rust’s matches! macro in the httpsig-hyper library, where the digest comparison was written as if matches!(digest, _expected_digest). The macro interprets the right‑hand side as a pattern binding rather than a value, causing the condition to succeed unconditionally. Consequently, the library reports successful digest verification even when the computed digest does not match the expected value, allowing an attacker to modify the HTTP message body without detection. The weakness relates to improper authentication logic and signature parsing, identified as CWE‑354 and CWE‑697.

Affected Systems

Affected versions are all releases of httpsig-hyper prior to 0.0.23, which is distributed by the Rust crate httpsig‑rs from the vendor junkurihara. Any application that incorporates this hyper extension for HTTP message signatures without applying additional integrity checks is vulnerable. The issue applies to HTTP traffic handled via Hyper and any client or server code that relies solely on the Digest header verification provided by this library.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity, while the EPSS score of less than 1 % suggests a low likelihood of active exploitation at this time. The vulnerability is not listed in the CISA KEV catalog, meaning no known public exploits have been reported. The attack vector is inferred to be remote, as an attacker can craft HTTP requests or responses during transit to trigger the digest bypass. The impact of exploitation would be the undetected alteration of message content, potentially leading to unauthorized actions or data tampering. However, because the vulnerability remains unpatched in older versions, remediation remains a high priority.

Generated by OpenCVE AI on April 17, 2026 at 17:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the httpsig‑hyper library to version 0.0.23 or later, which replaces the incorrect matches! usage with proper value comparison and adds a constant‑time digest check.
  • If an upgrade cannot be performed immediately, ensure that full HTTP message signature verification is enforced at the application level and do not rely solely on the Digest header to guarantee message integrity.
  • Implement regression tests that verify digest calculations and comparisons to guard against future regressions in this logic.

Generated by OpenCVE AI on April 17, 2026 at 17:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-7v42-g35v-xrch Improper Digest Verification in httpsig-hyper May Allow Message Integrity Bypass
History

Tue, 03 Mar 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Junkurihara httpsig-hyper
CPEs cpe:2.3:a:junkurihara:httpsig-hyper:*:*:*:*:*:rust:*:*
Vendors & Products Junkurihara httpsig-hyper

Fri, 20 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Feb 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Junkurihara
Junkurihara httpsig-rs
Vendors & Products Junkurihara
Junkurihara httpsig-rs

Thu, 19 Feb 2026 21:45:00 +0000

Type Values Removed Values Added
Description httpsig-hyper is a hyper extension for http message signatures. An issue was discovered in `httpsig-hyper` prior to version 0.0.23 where Digest header verification could incorrectly succeed due to misuse of Rust's `matches!` macro. Specifically, the comparison `if matches!(digest, _expected_digest)` treated `_expected_digest` as a pattern binding rather than a value comparison, resulting in unconditional success of the match expression. As a consequence, digest verification could incorrectly return success even when the computed digest did not match the expected value. Applications relying on Digest verification as part of HTTP message signature validation may therefore fail to detect message body modification. The severity depends on how the library is integrated and whether additional signature validation layers are enforced. This issue has been fixed in `httpsig-hyper` 0.0.23. The fix replaces the incorrect `matches!` usage with proper value comparison and additionally introduces constant-time comparison for digest verification as defense-in-depth. Regression tests have also been added to prevent reintroduction of this issue. Users are strongly advised to upgrade to the patched version. There is no reliable workaround without upgrading. Users who cannot immediately upgrade should avoid relying solely on Digest verification for message integrity and ensure that full HTTP message signature verification is enforced at the application layer.
Title httpsig-hyper has Improper Digest Verification that May Allow Message Integrity Bypass
Weaknesses CWE-354
CWE-697
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

Subscriptions

Junkurihara Httpsig-hyper Httpsig-rs
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-20T15:42:05.498Z

Reserved: 2026-02-12T17:10:53.413Z

Link: CVE-2026-26275

cve-icon Vulnrichment

Updated: 2026-02-20T15:32:14.371Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-19T22:16:46.493

Modified: 2026-03-03T17:44:32.643

Link: CVE-2026-26275

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T18:00:12Z

Weaknesses