CVE-2024-13939: String::Compare::ConstantTime for Perl through 0.321 is vulnerable to timing attacks that allow an attacker to guess the length of a secret string

CVE-2024-13939: String::Compare::ConstantTime for Perl through 0.321 is vulnerable to timing attacks that allow an attacker to guess the length of a secret string Stig Palmquist 28 Mar 2025 02:07 UTC

========================================================================
CVE-2024-13939                                       CPAN Security Group
========================================================================

         CVE ID:  CVE-2024-13939
   Distribution:  String-Compare-ConstantTime
       Versions:  through 0.321

       MetaCPAN:  https://metacpan.org/dist/String-Compare-ConstantTime
       VCS Repo:  https://github.com/hoytech/String-Compare-ConstantTime

String::Compare::ConstantTime for Perl through 0.321 is vulnerable to
timing attacks that allow an attacker to guess the length of a secret
string

Description
-----------
String::Compare::ConstantTime for Perl through 0.321 is vulnerable to
timing attacks that allow an attacker to guess the length of a secret
string.

As stated in the documentation: "If the lengths of the strings are
different, because equals returns false right away the size of the
secret string may be leaked (but not its contents)."

This is similar to CVE-2020-36829

Problem types
-------------
CWE-208 Observable Timing Discrepancy

References
----------
https://metacpan.org/release/FRACTAL/String-Compare-ConstantTime-0.321/view/lib/String/Compare/ConstantTime.pm#TIMING-SIDE-CHANNEL

Credits
-------
Robert Rothenberg, reporter