CVE-2015-9238

MEDIUM

Secure-compare < 3.0.1 - Format String Vulnerability

Title source: rule

Description

secure-compare 3.0.0 and below do not actually compare two strings properly. compare was actually comparing the first argument with itself, meaning the check passed for any two strings of the same length.

Exploits (1)

nomisec WORKING POC

by m0d0ri205 · poc

https://github.com/m0d0ri205/wargame-turkey_in_2

View Code ZIP pw:eip

References (2)

[Third Party Advisory] https://github.com/vdemedes/secure-compare/pull/1

[Third Party Advisory] https://nodesecurity.io/advisories/50

Scores

CVSS v3 5.3

EPSS 0.0022

EPSS Percentile 44.1%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Details

CWE

CWE-697 CWE-134

Status published

Products (2)

npm/secure-compare 0 - 3.0.1npm

secure-compare_project/secure-compare < 3.0.1

Published May 31, 2018

Tracked Since Feb 18, 2026