Skip to content

Insecure Comparison in secure-compare

High severity GitHub Reviewed Published Jun 3, 2019 to the GitHub Advisory Database • Updated Apr 5, 2023

Package

npm secure-compare (npm)

Affected versions

< 3.0.1

Patched versions

3.0.1

Description

Versions of secure-compare prior to 3.0.1 are affected by a vulnerability that results in the package always returning true when comparing two strings of the same length, despite differences in the contents of those strings.

Recommendation

Upgrade to version 3.0.1 or later.

References

Reviewed Jun 3, 2019
Published to the GitHub Advisory Database Jun 3, 2019
Last updated Apr 5, 2023

Severity

High

EPSS score

0.077%
(34th percentile)

Weaknesses

CVE ID

CVE-2015-9238

GHSA ID

GHSA-h9x2-5rm7-x4gm

Source code

No known source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.