npm

Severity: high

Insecure Comparison

secure-compare

Overview

Versions of secure-compare prior to 3.0.1 are affected by a vulnerability that results in the package always returning true when comparing two strings of the same length, despite differences in the contents of those strings.

Remediation

Upgrade to version 3.0.1 or later.

Resources

Have content suggestions? Send them to [email protected]

Advisory timeline

  1. published

    Advisory published
    Oct 24th, 2015
  2. reported

    Initial report by Joshua Dague
    Oct 24th, 2015