Security: timing-vulnerable token comparison in AuthMiddleware (CWE-208) #575
Description
Summary
The AuthMiddleware.validateRequest() method in src/mcp/auth/AuthMiddleware.ts uses direct === comparison for Bearer token validation. This is vulnerable to timing attacks (CWE-208) where an attacker can extract the secret token byte-by-byte by measuring response time differences.
Location
- File:
src/mcp/auth/AuthMiddleware.ts, line 22 - Code:
return parsed.token === this.authToken;
Impact
An attacker with network access to the MCP server endpoint can potentially extract the authentication token through statistical analysis of response timing. The === operator in JavaScript/TypeScript short-circuits on the first differing character, leaking information about how many leading characters match.
Suggested Fix
Replace === with crypto.timingSafeEqual() using SHA-256 digests to ensure constant-time comparison regardless of input length.
Found by SpiderShield security scanner