GHSA-m4w9-hjfw-vwj4HighDisclosed before NVD

http4k: `HmacSha256.hash` (despite the `Hmac` naming) computed a plain unkeyed digest; clarified by deprecation in favour of `Sha256.hash` / `Sha256.hmac`

Published
June 19, 2026
Last Modified
June 19, 2026

📋 Description

Impact

The HmacSha256 class contained two functions:

  • hash(payload) — a plain unkeyed SHA-256 digest. The Hmac prefix in the class name was misleading; this function has no key parameter, so it could never have been an HMAC.
  • hmacSHA256(key, data) — a properly keyed HMAC-SHA256.

A reader who didn't engage with the function signature could in principle have assumed HmacSha256.hash(payload) was somehow keyed, but the absence of any key parameter made that misuse unlikely in practice.

Who is affected: any downstream caller who read the class name and used HmacSha256.hash as a message authentication code without noticing it takes no key. Verified at v6.47.2.0: zero internal misuse in http4k itself. Both production usages of HmacSha256.hash (AWS SigV4 canonical-request hashing in AwsSignatureV4Signer.kt and x-amz-content-sha256 in awsExtensions.kt) are AWS-spec-correct uses of plain SHA-256; every keyed hmacSHA256(key, data) call passes a real key. The advisory exists so any downstream caller relying on the misleadingly-named API knows to migrate.

Patches

Upgrade to 6.49.0.0 or later. The fix introduces:

  • Sha256.hash(input) — unkeyed digest (the actual behaviour HmacSha256.hash provided).
  • Sha256.hmac(key, input) — keyed HMAC-SHA256 (the behaviour the name implied).

HmacSha256 is deprecated. Existing callers continue to work via deprecation shims; migrate to Sha256.hash or Sha256.hmac per intent.

Workarounds

If you cannot upgrade and you need a real HMAC-SHA256, use javax.crypto.Mac.getInstance("HmacSHA256") with a SecretKeySpec. For an unkeyed SHA-256 digest, use java.security.MessageDigest.getInstance("SHA-256"). The keyed hmacSHA256(key, data) was always correctly implemented and is safe to use as-is.

References

🎯 Affected products1

  • maven/org.http4k:http4k-core:< 6.49.0.0

🔗 References (4)