Namespace, Primitive, Method
secure-compare

Insecure Comparison

Severity: high

Overview

Versions of secure-compare prior to 3.0.1 are affected by a vulnerability that results in the package always returning true when comparing two strings of the same length, despite differences in the contents of those strings.

Remediation

Upgrade to version 3.0.1 or later.

Vulnerable versions

0.9.0
4 years ago
3.0.0
3 years ago

Unaffected versions

3.0.1
3 years ago

Resources

Advisory timeline

  1. Published

    Advisory published
    Oct 24th, 2015
  2. Reported

    Initial report by Joshua Dague
    Oct 24th, 2015