DevFlow
Start free
← All posts
2025-08-04 · Priya Iyer · 8-min read

A postmortem: CVE-2025-32811 (webhook signing)

In late July a researcher disclosed a webhook-replay window in our HMAC verification. Here is what happened and what we changed.

what was reported

On 2025-07-19, an external researcher (full credit and bounty paid; they asked to remain anonymous) demonstrated that DevFlow's webhook signing did not strictly enforce timestamp recency on the receiving side.

A captured webhook from your endpoint, replayed within ~24 hours, would still verify against the HMAC because the timestamp tolerance window was effectively unbounded after authentication.

the impact

If a customer's webhook secret was leaked and an attacker had captured a previous webhook and the customer's endpoint did not also enforce its own freshness check, the attacker could replay the webhook.

We are not aware of any customer who was successfully attacked using this path. The full sub-processor and customer-list audit completed on 2025-07-30 with no anomalies.

what we changed

In version 3.1 (released 2025-07-22, three days after disclosure):

  • Receiving-side validation now rejects timestamps older than 5 minutes by default, configurable down to 60 seconds.
  • The CLI's webhook test command warns if your endpoint accepts timestamps older than 5 minutes.
  • We added a webhook-integration best-practice section explicitly recommending timestamp checks on the receiving side.

what we got right

The CVE-to-fix window was 72 hours. We notified affected customers within 24 hours of confirmation. The fix did not require a customer-side action — only the upgrade for receiving-side enforcement.

what we got wrong

The original receiving-side validation example in our docs did not call out timestamp freshness. That documentation gap is the proximate cause of the issue's existence in the first place. We've updated the example, audited the rest of /docs for similar omissions, and added a checklist to the security review for new integrations.

thanks

The researcher who disclosed this followed our coordinated-disclosure window without complaint and worked with us through the fix. If you find something, security@devflow.io.

— Priya, with the security team