AIKIDO-2026-10701
@slack/bolt is vulnerable to Improper Authentication
85
High Risk
This Affects:
@slack/boltTL;DR
Incoming Slack HTTPS probes carry only ssl_check metadata during SSL handshake verification, but HTTP adapters treated any truthy ssl_check form field as an unconditional exemption from Slack signing-secret verification instead of requiring the canonical literal string value Slack specifies; malformed truthy tokens therefore skipped crypto verification altogether while additional URL-encoded pairs appended alongside could piggyback on that exemption unless stripped upstream of verification routing. The implementation now accepts bypass exclusively when ssl_check equals exactly 1 and rejects non-canonical variants before verifying signatures on ordinary webhook payloads.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
@slack/bolt is vulnerable to Improper Authentication in versions 1.0.0 - 4.7.1.
How to fix this
Upgrade the @slack/bolt library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant