Observable Timing Discrepancy Affecting nodejs package, versions [0,]
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-CONAN-NODEJS-15763412
- published25 Mar 2026
- disclosed25 Mar 2026
- creditx_probe
Introduced: 25 Mar 2026
NewCVE-2026-21713 (opens in a new tab)How to fix?
A fix was pushed into the master branch but not yet published.
Overview
Affected versions of this package are vulnerable to Observable Timing Discrepancy due to the crypto_hmac.cc module using memcmp(), a non-constant-time comparison function to validate user-provided HMAC signatures, rather than the timing-safe equivalents used elsewhere in the codebase. An attacker capable of taking high-resolution timing measurements can use the application as a timing oracle. Because the comparison leaks timing information proportional to the number of matching bytes, the attacker can iteratively infer the expected HMAC values, ultimately enabling them to forge valid Message Authentication Codes (MACs).