Intel

AIKIDO-2026-591645

@shopify/shopify-api is vulnerable to Improper Verification of Cryptographic Signature

Improper Verification of Cryptographic Signature Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published 3 days ago

59

Medium Risk

This Affects:

JS@shopify/shopify-api
6.0.0 - 13.0.0
Fixed in 13.1.0
Are you affected? Scan for Free

TL;DR

The runtime cookie handling in @shopify/shopify-api signs OAuth state and session cookies with HMAC-SHA256 using the app API secret directly, which is the same key, algorithm, and base64 encoding used to validate incoming Shopify webhook HMACs. Because the signing domains are not separated, a signed OAuth state cookie signature is also a valid X-Shopify-Hmac-SHA256 webhook signature for a body equal to the cookie value. An attacker who obtains such a signed value (for example by starting an OAuth flow) can replay the signature to forge webhook deliveries such as app/uninstalled that pass validation. The fix signs cookies with a cookie-specific key derived from the API secret via HKDF, adds constant-time signature comparison, and increases OAuth state nonce entropy to 32 random bytes.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and your app signs OAuth state or session cookies rather than using token-exchange-only authentication.

Background info

@shopify/shopify-api is vulnerable to Improper Verification of Cryptographic Signature in versions 6.0.0 - 13.0.0.

How to fix this

Upgrade the @shopify/shopify-api library to the patch version.