Description
secure-compare 3.0.0 and below do not actually compare two strings properly. compare was actually comparing the first argument with itself, meaning the check passed for any two strings of the same length.
Remediation
References
https://nodesecurity.io/advisories/50
https://github.com/vdemedes/secure-compare/pull/1
Related Vulnerabilities
CVE-2016-5001 Vulnerability in maven package org.apache.hadoop:hadoop-hdfs
CVE-2019-14863 Vulnerability in maven package org.webjars.bower:angular
CVE-2013-6393 Vulnerability in npm package libyaml
CVE-2020-8123 Vulnerability in npm package strapi
CVE-2019-12395 Vulnerability in maven package us.dynmap:dynmap