Insecure Comparison Affecting secure-compare package, versions <3.0.1
Snyk CVSS
Attack Complexity
Low
Threat Intelligence
EPSS
0.08% (32nd
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID npm:secure-compare:20151024
- published 6 Nov 2015
- disclosed 24 Oct 2015
- credit Joshua Dague
Introduced: 24 Oct 2015
CVE-2015-9238 Open this link in a new tabHow to fix?
Upgrade to version 3.0.1 or greater.
When direct dependency update is not possible, use snyk wizard
to patch against this vulnerability.
Overview
secure-compare is a node implementation of constant-time comparison algorithm to prevent timing attacks for Node.js. In versions prior to 3.0.1, the compare
function made sure that the length of the two arguments is the same, and then mistakenly compared the first argument to itself, meaning that the function would return true for any two arguments of the same length.