-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| basic-auth-connect | npm | < 1.1.0 | 1.1.0 |
Miggo AIRoot Cause AnalysisThe vulnerability stems from the use of non-constant time string comparison in the authentication callback. The commit diff shows the vulnerable code was replaced with timingSafeCompare() from 'tsscmp', explicitly addressing CWE-208. The original comparison in index.js line 57 used '==' operator, which leaks timing information based on input length/content. This matches the CWE description and patch details provided.