Affected versions of http-signature contain a vulnerability which can allow an attacker in a privileged network position to modify header names and change the meaning of the request, without requiring an updated signature.

This problem occurs because vulnerable versions of http-signature sign the contents of headers, but not the header names.

Proof of Concept

Consider this to be the initial, untampered request:

POST /pay HTTP/1.1
Host: example.com
Date: Thu, 05 Jan 2012 21:31:40 GMT
X-Payment-Source: [email protected]
X-Payment-Destination: [email protected]
Authorization: Signature keyId="Test",algorithm="rsa-sha256",headers="x-payment-source x-payment-destination" MDyO5tSvin5...

And the request is intercepted and tampered as follows:

X-Payment-Source: [email protected] // Emails switched
X-Payment-Destination: [email protected]
Authorization: Signature keyId="Test",algorithm="rsa-sha256",headers="x-payment-destination x-payment-source" MDyO5tSvin5...

In the resulting responses, both requests would pass signature verification without issue.

[email protected]\n
[email protected]\n

Update to version 0.10.0 or higher.