Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWg5eDItNXJtNy14NGdt
Insecure Comparison in secure-compare
Versions of secure-compare prior to 3.0.1 are affected by a vulnerability that results in the package always returning true when comparing two strings of the same length, despite differences in the contents of those strings.
Recommendation
Upgrade to version 3.0.1 or later.
Permalink: https://github.com/advisories/GHSA-h9x2-5rm7-x4gmJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWg5eDItNXJtNy14NGdt
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 5 years ago
Updated: over 1 year ago
EPSS Percentage: 0.00077
EPSS Percentile: 0.34526
Identifiers: GHSA-h9x2-5rm7-x4gm, CVE-2015-9238
References:
- https://github.com/vdemedes/secure-compare/pull/1
- https://www.npmjs.com/advisories/50
- https://nvd.nist.gov/vuln/detail/CVE-2015-9238
- https://github.com/vadimdemedes/secure-compare/commit/dd1ff1ac0122de7e0af4f00c61ed73261062394a
- https://github.com/advisories/GHSA-h9x2-5rm7-x4gm
Blast Radius: 0.0
Affected Packages
npm:secure-compare
Dependent packages: 62Dependent repositories: 26,833
Downloads: 10,680,372 last month
Affected Version Ranges: < 3.0.1
Fixed in: 3.0.1
All affected versions: 0.9.0
All unaffected versions: 3.0.1