@shopify/shopify-api is vulnerable to Improper Verification of Cryptographic Signature
59
Medium Risk
The runtime cookie handling in @shopify/shopify-api signs OAuth state and session cookies with HMAC-SHA256 using the app API secret directly, which is the same key, algorithm, and base64 encoding used to validate incoming Shopify webhook HMACs. Because the signing domains are not separated, a signed OAuth state cookie signature is also a valid X-Shopify-Hmac-SHA256 webhook signature for a body equal to the cookie value. An attacker who obtains such a signed value (for example by starting an OAuth flow) can replay the signature to forge webhook deliveries such as app/uninstalled that pass validation. The fix signs cookies with a cookie-specific key derived from the API secret via HKDF, adds constant-time signature comparison, and increases OAuth state nonce entropy to 32 random bytes.
You are affected if you are using a version that falls within the vulnerable range and your app signs OAuth state or session cookies rather than using token-exchange-only authentication.
@shopify/shopify-api is vulnerable to Improper Verification of Cryptographic Signature in versions 6.0.0 - 13.0.0.
Upgrade the @shopify/shopify-api library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant