critical vulnerability for Replay Attack

tapio / live-server

A simple development http server with live reload capability.

http://tapiov.net/live-server/

4.41k stars 484 forks source link

critical vulnerability for Replay Attack #365

Open PinalSa opened 3 years ago

PinalSa commented 3 years ago

Hi, currently live-server using http-auth version 3.1.3. It is detected high vulnerability for http-auth version on veracode.

Replay Attack http-auth is vulnerable to replay attack. The vulnerability exists because it is not properly invalidate expired Nonce in validateNonce and allows the replay attack when the client specifies a large nonceCount value.

Latest version for http-auth is 4.1.2.

Can someone please help with upgrading version so this issue is fixed.

yandeu commented 3 years ago

I have forked live-server and removed http-auth.

Downside: htpasswd does not work yet. Everything else works great!