CVE-2026-21713

A flaw in Node.js HMAC verification uses a non-constant-time comparison when validating user-provided signatures, potentially leaking timing information proportional to the number of matching bytes. Under certain threat models where high-resolution timing measurements are possible, this behavior...

CVE-2025-53940 Quiet uses insecure, inconsistent verification on local backend token

Quiet is an alternative to team chat apps like Slack, Discord, and Element that does not require trusting a central server or running one's own. In versions 6.1.0-alpha.4 and below, Quiet's API for backend/frontend communication was using an insecure, not constant-time comparison function for tok...

CVE-2025-53940 Quiet uses insecure, inconsistent verification on local backend token

Quiet is an alternative to team chat apps like Slack, Discord, and Element that does not require trusting a central server or running one's own. In versions 6.1.0-alpha.4 and below, Quiet's API for backend/frontend communication was using an insecure, not constant-time comparison function for tok...

Timing Attack

Overview Affected versions of this package are vulnerable to Timing Attack due to an insecure non-constant time comparison in DERP server mesh authentication. Note: All Tailscale-operated DERP servers and Tailscale users who operate their own custom DERP servers with more than one server per regi...

PT-2024-32459 · Unknown · Basic-Auth-Connect

Name of the Vulnerable Software and Affected Versions: basic-auth-connect versions prior to 1.1.0 Description: The issue concerns a timing-unsafe equality comparison in basic-auth-connect that can leak timing information. This comparison can potentially allow an attacker to observe differences in...

Timing Attack

generator-jhipster is vulnerable to a Timing Attack. The vulnerability exists because the TokenProvider.java uses String.equalsstr to compare the given token-signature. This comparison method does not effectively validate the token because it stops as soon as it encounters the first character tha...

CVE-2023-32691

CVE-2023-32691 affects gost (GO Simple Tunnel) written in Go. The root cause is untrusted input from an HTTP header being compared directly to a secret (not using constant-time comparison), enabling a side-channel timing attack to guess secrets. The common remediation is to switch to constant-tim...

Timing Attack

nickveenhof/http-hmac-php is vulnerable to timing attacks. The vulnerability exists due to insecure usage of !== during hmac comparison in authenticate and isAuthentic functions in RequestAuthenticator.php and ResponseAuthenticator.php which may lead to an information disclosure...

CVE-2019-14007

Due to the use of non-time-constant comparison functions there is issue in timing side channels which can be used as a potential side channel for SUI corruption in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile,...

Information Disclosure

armeria is vulnerable to information disclosure. The vulnerability allows an attacker to conduct a timing attack due to the insecure usage of equals between strings used for comparing sensitive values...

CVE-2019-10071

The code which checks HMAC in form submissions used String.equals for comparisons, which results in a timing side channel for the comparison of the HMAC signatures. This could lead to remote code execution if an attacker is able to determine the correct signature for their payload. The comparison...

Moderate severity vulnerability that affects org.apache.mesos:mesos

Apache Mesos can be configured to require authentication to call the Executor HTTP API using JSON Web Token JWT. In Apache Mesos versions pre-1.4.2, 1.5.0, 1.5.1, 1.6.0 the comparison of the generated HMAC value against the provided signature in the JWT implementation used is vulnerable to a timi...

Timing Attacks

django-anymail is vulnerable to timing attacks. The WEBHOOKAUTHORIZATION shared secret can be obtained because it is not compared in constant time. This allows an attacker to decipher the secret by using the time a call takes to return...

DEBIAN-CVE-2017-12872

The 1 Htpasswd authentication source in the authcrypt module and 2 SimpleSAMLSession class in SimpleSAMLphp 1.14.11 and earlier allow remote attackers to conduct timing side-channel attacks by leveraging use of the standard comparison operator to compare secret material against user input...

CVE-2017-5361

Request Tracker RT 4.x before 4.0.25, 4.2.x before 4.2.14, and 4.4.x before 4.4.2 does not use a constant-time comparison algorithm for secrets, which makes it easier for remote attackers to obtain sensitive user password information via a timing side-channel attack...