High severity7.5NVD Advisory· Published Jun 4, 2018· Updated Jun 17, 2026
CVE-2017-16005
CVE-2017-16005
Description
Http-signature is a "Reference implementation of Joyent's HTTP Signature Scheme". In versions <=0.9.11, http-signature signs only the header values, but not the header names. This makes http-signature vulnerable to header forgery. Thus, if an attacker can intercept a request, he can swap header names and change the meaning of the request without changing the signature.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
http-signaturenpm | < 0.10.0 | 0.10.0 |
Affected products
2- HackerOne/http-signature node modulev5Range: <=0.9.11
Patches
Vulnerability mechanics
References
5- github.com/joyent/node-http-signature/issues/10nvdPatchThird Party AdvisoryWEB
- github.com/advisories/GHSA-q257-vv4p-fg92ghsaADVISORY
- nodesecurity.io/advisories/318nvdThird Party Advisory
- nvd.nist.gov/vuln/detail/CVE-2017-16005ghsaADVISORY
- www.npmjs.com/advisories/318ghsaWEB
News mentions
0No linked articles in our index yet.