CVE-2024-13939

CVE-2024-13939: String::Compare::ConstantTime for Perl through 0.321 is vulnerable to timing attacks that allow an attacker to guess the length of a secret string

Vendor Fractal
Product String::Compare::ConstantTime
Weakness CWE-208
Published March 28, 2025
Last update March 28, 2025

CVSS base score

What the vulnerability does

01Description

String::Compare::ConstantTime for Perl through 0.321 is vulnerable to timing attacks that allow an attacker to guess the length of a secret string. As stated in the documentation: "If the lengths of the strings are different, because equals returns false right away the size of the secret string may be leaked (but not its contents)." This is similar to CVE-2020-36829

Key dates

02Disclosure timeline

March 28, 2025 CVE published
March 28, 2025 Record updated