fix(Change-encryption-mode): From AES-256-CBC to AES-256-GCM#1
Closed
jmjimenezlp wants to merge 3 commits intomainfrom
Closed
fix(Change-encryption-mode): From AES-256-CBC to AES-256-GCM#1jmjimenezlp wants to merge 3 commits intomainfrom
jmjimenezlp wants to merge 3 commits intomainfrom
Conversation
Due to the security audit done in this project is required to change the encryption used: https://dojo.fpkmon.com/finding/2213
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
achetronic
requested changes
Mar 30, 2026
| # | ||
| # Akamai decryption: | ||
| # - Algorithm : AES-256-CBC | ||
| # - Algorithm : AES-256-GCM (random 12-byte nonce per cookie, prepended to the value) |
Member
There was a problem hiding this comment.
Hey, hey, not possible in akamai to decrypt using all the algorithms you want. Just accepting two of them for AES256
CC: @devploit
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Due to the security audit done in this project is required to change the encryption used: https://dojo.fpkmon.com/finding/2213
Note
Medium Risk
Changes the on-the-wire cookie format and encryption algorithm, so any downstream decryptor (e.g. Akamai) must be updated in lockstep. Crypto refactor also removes the fixed/random IV modes, which could break existing configurations relying on them.
Overview
Migrates cookie encryption from
AES-256-CBCtoAES-256-GCM(AEAD), generating a fresh random 12-byte nonce per request and encoding cookies asbase64(nonce || sealed)(ciphertext + tag).Removes CBC-specific configuration (
iv_modeandCEEP_ENCRYPTION_IV) and updates the plugin to always use GCM when not inset_static_cookie_valuemode.Hardens the emitted cookie by adding
HttpOnly; Secure, and updatesREADME.mdplusdocs/samples/istio-wasmplugin.yamlto reflect the new format and decryption steps.Written by Cursor Bugbot for commit 421c01f. This will update automatically on new commits. Configure here.