slack_bolt is vulnerable to Improper Authentication
48
Medium Risk
The RequestVerification middleware in slack_bolt skips Slack request signature verification whenever the form body contains ssl_check=1. When an application disables the built-in SSL check middleware, this exemption lets an unsigned HTTP request continue through the normal middleware and listener pipeline, so a forged request that omits a valid x-slack-signature can reach slash command and event handlers. This lets untrusted input invoke handler logic without a valid Slack signature. The fix removes the ssl_check exemption so signature verification is required for all HTTP requests and only Socket Mode requests are skipped.
You are affected if you are using a version that falls within the vulnerable range and your app disables the SSL check middleware by setting ssl_check_enabled to False.
slack_bolt is vulnerable to Improper Authentication in versions 1.0.0 - 1.28.0.
Upgrade the slack_bolt library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant