GHSA-GXHX-2686-5H9G: GHSA-gxhx-2686-5h9g: Signature Verification Bypass in slack-go via Empty SecretsVerifier

#security #cve #cybersecurity #ghsa

GHSA-gxhx-2686-5h9g: Signature Verification Bypass in slack-go via Empty SecretsVerifier

Vulnerability ID: GHSA-GXHX-2686-5H9G
CVSS Score: 7.7
Published: 2026-05-14

The slack-go library prior to version 0.23.1 contains a cryptographic signature verification vulnerability. The SecretsVerifier component fails to validate whether the provided Slack signing secret is empty. Applications initializing this verifier with an empty string—such as from a missing environment variable—allow attackers to bypass request authentication by forging signatures with an empty HMAC key.

TL;DR

slack-go < 0.23.1 permits empty signing secrets, enabling attackers to bypass Slack request verification by generating valid HMAC signatures using an empty key if the application environment is misconfigured.

Technical Details

CWE ID: CWE-347
Attack Vector: Network
CVSS Score: 7.7
Impact: Authentication Bypass / Origin Forgery
Exploit Status: none
Authentication Required: None

Affected Systems

Applications utilizing github.com/slack-go/slack for Slack webhook and Slash command verification
Go services with misconfigured or unset SLACK_SIGNING_SECRET environment variables
github.com/slack-go/slack: < 0.23.1 (Fixed in: 0.23.1)

Mitigation Strategies

Upgrade slack-go to version 0.23.1 or later
Implement explicit length validation on environment variables used for cryptographic keys
Adopt fail-closed startup routines for security configurations

Remediation Steps:

Verify the current version of github.com/slack-go/slack in the go.mod file
Run go get github.com/slack-go/slack@v0.23.1 to update the dependency
Add precondition checks in the application code to verify the signing secret is not an empty string before calling NewSecretsVerifier
Audit container orchestration and deployment manifests to ensure SLACK_SIGNING_SECRET is correctly populated
Recompile and redeploy the application