CVE-2015-9238

MEDIUM

secure-compare < 3.0.1 - Incorrect String Comparison

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2015-9238. PoCs published by m0d0ri205.

AI-analyzed exploit summary This repository contains a functional exploit PoC for CVE-2015-9238, demonstrating an authentication bypass vulnerability in a Node.js application. The exploit leverages insecure password comparison logic to bypass authentication and retrieve a flag file.

Description

secure-compare 3.0.0 and below do not actually compare two strings properly. compare was actually comparing the first argument with itself, meaning the check passed for any two strings of the same length.

Exploits (1)

nomisec WORKING POC

by m0d0ri205 · poc

https://github.com/m0d0ri205/wargame-turkey_in_2

View Code ZIP pw:eip

This repository contains a functional exploit PoC for CVE-2015-9238, demonstrating an authentication bypass vulnerability in a Node.js application. The exploit leverages insecure password comparison logic to bypass authentication and retrieve a flag file.

Classification

Working Poc 90%

Attack Type

Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: Custom Node.js application (version not specified)

No auth needed

Prerequisites: Access to the target application's login endpoint

MITRE ATT&CK

T1110 - Brute Force T1078 - Valid Accounts

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (2)

Core 2

Core References

Third Party Advisory x_refsource_misc

https://github.com/vdemedes/secure-compare/pull/1

Third Party Advisory x_refsource_misc

https://nodesecurity.io/advisories/50

Scores

CVSS v3 5.3

EPSS 0.0022

EPSS Percentile 44.5%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Details

CWE

CWE-697 CWE-134

Status published

Products (2)

npm/secure-compare 0 - 3.0.1npm

secure-compare_project/secure-compare < 3.0.1

Published May 31, 2018

Tracked Since Feb 18, 2026