familia is vulnerable to Authentication Bypass
59
Medium Risk
Familia::VerifiableIdentifier.secret_key loads the HMAC signing key from the VERIFIABLE_ID_HMAC_SECRET environment variable and only raises when the variable is entirely absent. A value that is present but blank or whitespace-only passes the check and is used as the HMAC key, so verifiable identifiers are signed and verified under an effectively empty secret. An attacker aware of the empty key can forge identifiers that pass verified_identifier?, defeating the authenticity guarantee the module provides. The fix treats a nil, empty, or whitespace-only secret the same as a missing one and raises instead of signing under an empty key.
You are affected if you are using a version that falls within the vulnerable range and the VERIFIABLE_ID_HMAC_SECRET environment variable is set to an empty or whitespace-only value.
familia is vulnerable to Authentication Bypass in versions 2.11.0 - 2.11.0.
Upgrade the familia library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

I consent to receiving marketing communications based on Aikido’s Privacy Policy.
SOC 2Compliant
ISO 27001Compliant