Versions of `secure-compare` prior to 3.0.1 are affected by a vulnerability that results in the package always returning true when comparing two strings of the same length, despite differences in the contents of those strings.

## Recommendation

Upgrade to version 3.0.1 or later.

Affected Packages

npm secure-compare

Affected versions: 0 (fixed in 3.0.1)

Related CVEs

CVE-2015-9238

Key Information

GHSA ID

GHSA-h9x2-5rm7-x4gm

Published

June 3, 2019 5:28 PM

Last Modified

August 31, 2020 6:09 PM

CVSS Score

7.5 /10

Primary Ecosystem

npm

Primary Package

secure-compare

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 4, 2025 6:27 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.