<p>Upgrade to version 3.0.1 or greater. </p> <p>When direct dependency update is not possible, use <a href="https://snyk.io/docs/using-snyk#wizard"><code>snyk wizard</code></a> to patch against this vulnerability.</p>

Insecure Comparison Affecting secure-compare package, versions <3.0.1

Snyk CVSS

Attack Complexity Low

Threat Intelligence

EPSS 0.08% (32^nd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID npm:secure-compare:20151024
published 6 Nov 2015
disclosed 24 Oct 2015
credit Joshua Dague

Report a new vulnerability Found a mistake?

Introduced: 24 Oct 2015

CVE-2015-9238 Open this link in a new tab CWE-697 Open this link in a new tab

How to fix?

Upgrade to version 3.0.1 or greater.

When direct dependency update is not possible, use snyk wizard to patch against this vulnerability.

Overview

secure-compare is a node implementation of constant-time comparison algorithm to prevent timing attacks for Node.js. In versions prior to 3.0.1, the compare function made sure that the length of the two arguments is the same, and then mistakenly compared the first argument to itself, meaning that the function would return true for any two arguments of the same length.

References

https://github.com/vdemedes/secure-compare/pull/1