LiveActive security incident?Get immediate response
CVE Record

CVE-2015-9238: secure-compare 3.0.0 and below do not actually compare two strings properly.

secure-compare 3.0.0 and below do not actually compare two strings properly. compare was actually comparing the first argument with itself, meaning the check passed for any two strings of the same length.

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysismoderate

Security readout for executives and security teams

Plain-English summary

Applications using secure-compare 3.0.0 or earlier may accept the wrong secret when two values have the same length. That can undermine checks that depend on comparing tokens, signatures, or other secret strings. The published sources do not provide CVSS, affected applications, or confirmed exploitation.

Executive priority

Prioritize if the package is present in internet-facing authentication, webhook, API, or token validation paths. Otherwise treat as a dependency hygiene issue requiring confirmation and planned remediation.

Technical view

The module's compare function compared the first argument with itself instead of comparing both arguments. The result was a flawed equality check where mismatched strings of equal length could pass. CVE maps this to CWE-697, incorrect comparison. Evidence identifies HackerOne secure-compare node module versions 3.0.0 and below as affected.

Likely exposure

Exposure is limited to Node.js projects that depend on secure-compare <=3.0.0 and use it for security-sensitive equality checks. Dependency presence alone does not prove reachable impact; usage context matters.

Exploitation context

The source bundle does not cite active exploitation, and the CVE is not listed as KEV. Practical impact depends on whether an application used this comparison result to authorize access, validate secrets, or trust a request.

Researcher notes

The evidence is concise but specific about the bug class and affected version range. Missing items include CVSS, exploit reports, and a named fixed version in the provided bundle, so remediation should be verified against upstream sources.

Mitigation direction

  • Inventory secure-compare versions in application dependency manifests and lockfiles.
  • Check upstream advisory and repository guidance for the fixed or unaffected version.
  • Upgrade or replace affected dependency according to vendor guidance.
  • Review security-sensitive comparison call sites that used this module.
  • Consider secret rotation only if reachable misuse or suspicious activity is found.

Validation and detection

  • Confirm whether secure-compare <=3.0.0 is installed in production builds.
  • Map all call sites to authentication, authorization, or request validation decisions.
  • Run safe negative tests to ensure mismatched equal-length values are rejected.
  • Review application logs around impacted comparison paths for suspicious acceptance events.
Prepared
Confidence
medium
Sources
4

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cwe · low confidence lookup

CWE-697: Exact CWE lookup

Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2015-9238 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
0Timeline events
0ADP providers
3Source links

CVSS and timeline data

No CVSS vectors or timeline events were available in the normalized CVE source material.

Source materials

Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
HackerOnesecure-compare node module<=3.0.0Listed
Weakness

CWE details

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.

CWE-697 · source CWE mapping

Incorrect Comparison

Incorrect Comparison represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.