Insecure Comparison

Module: secure-compare

Published: October 24th, 2015

Reported by: Joshua Dague

CVE-NONE

CWE-697

Vulnerable: <=3.0.0
Patched: >3.0.0

Overview

Versions of secure-compare prior to 3.0.1 are affected by a vulnerability that results in the package always returning true when comparing two strings of the same length, despite differences in the contents of those strings.

Remediation

Upgrade to version 3.0.1 or later.

References

PR #1