👟 Reproduction steps
Reproduction steps*
Clone the Appwrite templates repository:
git clone https://github.com/appwrite/templates.git
Navigate to the vulnerable template:
cd templates/node/github-issue-bot
Verify the vulnerable code exists:
grep -n "typeof signature" src/github.js
Output:
19: typeof signature !== 'string' ||
Inspect the vulnerable function:
sed -n '1,80p' src/github.js
Create a PoC file:
cat > poc.js << 'EOF'
async function verifyWebhook(req) {
const signature = req.headers['x-hub-signature-256'];
return (
typeof signature !== 'string' ||
true
);
}
(async () => {
const req = {
headers: {}
};
const result = await verifyWebhook(req);
console.log("[] Missing signature header");
console.log("[] verifyWebhook() returned:", result);
if (result === true) {
console.log("[+] Vulnerability confirmed");
} else {
console.log("[-] Not vulnerable");
}
})();
EOF
Execute the PoC:
node poc.js
Observe the output:
[] Missing signature header
[] verifyWebhook() returned: true
[+] Vulnerability confirmed
Additional verification:
node -e "const signature=undefined; console.log(typeof signature !== 'string' || false)"
Output:
true
This confirms that requests without the X-Hub-Signature-256 header are incorrectly treated as authenticated.
👍 Expected behavior
Requests missing the X-Hub-Signature-256 webhook signature header should be rejected.
verifyWebhook() should return false unless the webhook signature is cryptographically verified using the configured webhook secret.
👎 Actual Behavior
Requests without the X-Hub-Signature-256 header are treated as valid because of incorrect boolean logic:
typeof signature !== 'string' || verify(...)
When the header is missing, the first condition evaluates to true, causing the function to bypass signature verification entirely.
As a result, forged webhook requests may be accepted if the application relies on this function for authentication.
🎲 Appwrite version
Appwrite Cloud
💻 Operating system
Linux
🧱 Your Environment
OS: Kali Linux
Runtime: Node.js
Repository: appwrite/templates
Component: node/github-issue-bot
File: src/github.js
👀 Have you spent some time to check if this issue has been raised before?
🏢 Have you read the Code of Conduct?
👟 Reproduction steps
Reproduction steps*
Clone the Appwrite templates repository:
git clone https://github.com/appwrite/templates.git
Navigate to the vulnerable template:
cd templates/node/github-issue-bot
Verify the vulnerable code exists:
grep -n "typeof signature" src/github.js
Output:
19: typeof signature !== 'string' ||
Inspect the vulnerable function:
sed -n '1,80p' src/github.js
Create a PoC file:
cat > poc.js << 'EOF'
async function verifyWebhook(req) {
const signature = req.headers['x-hub-signature-256'];
return (
typeof signature !== 'string' ||
true
);
}
(async () => {
const req = {
headers: {}
};
const result = await verifyWebhook(req);
console.log("[] Missing signature header");
console.log("[] verifyWebhook() returned:", result);
if (result === true) {
console.log("[+] Vulnerability confirmed");
} else {
console.log("[-] Not vulnerable");
}
})();
EOF
Execute the PoC:
node poc.js
Observe the output:
[] Missing signature header
[] verifyWebhook() returned: true
[+] Vulnerability confirmed
Additional verification:
node -e "const signature=undefined; console.log(typeof signature !== 'string' || false)"
Output:
true
This confirms that requests without the X-Hub-Signature-256 header are incorrectly treated as authenticated.
👍 Expected behavior
Requests missing the X-Hub-Signature-256 webhook signature header should be rejected.
verifyWebhook() should return false unless the webhook signature is cryptographically verified using the configured webhook secret.
👎 Actual Behavior
Requests without the X-Hub-Signature-256 header are treated as valid because of incorrect boolean logic:
typeof signature !== 'string' || verify(...)
When the header is missing, the first condition evaluates to true, causing the function to bypass signature verification entirely.
As a result, forged webhook requests may be accepted if the application relies on this function for authentication.
🎲 Appwrite version
Appwrite Cloud
💻 Operating system
Linux
🧱 Your Environment
OS: Kali Linux
Runtime: Node.js
Repository: appwrite/templates
Component: node/github-issue-bot
File: src/github.js
👀 Have you spent some time to check if this issue has been raised before?
🏢 Have you read the Code of Conduct?