Skip to content

http4k: `ServerFilters.DigestAuth` / `DigestAuthProvider` defaulted to an always-true nonce verifier, disabling replay protection in default deployments

Moderate severity GitHub Reviewed Published Jun 16, 2026 in http4k/http4k • Updated Jun 19, 2026

Package

maven org.http4k:http4k-security-digest (Maven)

Affected versions

>= 6.0.0.0, < 6.48.0.0
>= 5.0.0.0, < 5.42.0.0
< 4.51.0.0

Patched versions

6.48.0.0
5.42.0.0
4.51.0.0

Description

Impact

ServerFilters.DigestAuth and the underlying DigestAuthProvider both defaulted their nonceVerifier parameter to { true } — i.e. every nonce was accepted regardless of value, age, or prior use. Any deployment using the default configuration had no replay protection on Digest authentication; a captured Authorization: Digest … response could be replayed indefinitely against the same protected resource.

The nonce-verification mechanism in Digest auth is the primary anti-replay control — without it, Digest reduces to a credential bound only to a stale nonce string.

Who is affected: any application using ServerFilters.DigestAuth or DigestAuthProvider with the default nonceVerifier. The broken default has been present since DigestAuthProvider was introduced (2021). Exploitation requires the attacker to first capture a valid Digest response (network observation, log access, etc.) — non-trivial in modern TLS deployments but not impossible. Anyone running Digest auth with default config should treat upgrade as urgent.

Patches

Line Fixed in Edition
v6.x (Community) 6.48.0.0 Community
v5.x (LTS) 5.42.0.0 Enterprise — contact enterprise@http4k.org (if Digest auth is present in your v5.x line)
v4.x (LTS) 4.51.0.0 Enterprise — contact enterprise@http4k.org (if Digest auth is present in your v4.x line)

The fix ([Break]) removes the default value for nonceVerifier from both ServerFilters.DigestAuth and DigestAuthProvider. Callers must now supply a real verifier explicitly — the broken default cannot be silently inherited.

Workarounds

For deployments that cannot upgrade immediately: explicitly supply a nonceVerifier that tracks issued nonces, enforces a TTL, and rejects re-use. Do not rely on the default.

References

@daviddenton daviddenton published to http4k/http4k Jun 16, 2026
Published to the GitHub Advisory Database Jun 19, 2026
Reviewed Jun 19, 2026
Last updated Jun 19, 2026

Severity

Moderate

EPSS score

Weaknesses

Authentication Bypass by Capture-replay

A capture-replay flaw exists when the design of the product makes it possible for a malicious user to sniff network traffic and bypass authentication by replaying it to the server in question to the same effect as the original message (or with minor changes). Learn more on MITRE.

CVE ID

No known CVE

GHSA ID

GHSA-c7jm-38gq-h67h

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.