CVE-2024-13939

CVE-2024-13939 is a timing side-channel vulnerability in the String::Compare::ConstantTime Perl module through version 0.321. The flaw arises because the equals function returns false immediately if the input string and secret string have different lengths, enabling attackers to infer the secret string's length through observable timing differences without revealing its contents. This issue is classified under CWE-208 (Observable Timing Discrepancy) and CWE-203 (Observable Discrepancy), with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

Any remote, unauthenticated attacker can exploit this vulnerability over the network with low complexity and no user interaction. By repeatedly submitting strings of varying lengths for comparison against a secret string—such as in authentication tokens, passwords, or cryptographic keys—the attacker measures response times to determine the exact length of the secret, potentially aiding further attacks like brute-forcing or enumeration.

The vulnerability is documented in the module's source code at https://metacpan.org/release/FRACTAL/String-Compare-ConstantTime-0.321/view/lib/String/Compare/ConstantTime.pm#TIMING-SIDE-CHANNEL, which explicitly notes: "If the lengths of the strings are different, because equals returns false right away the size of the secret string may be leaked (but not its contents)." This is similar to CVE-2020-36829, and practitioners should upgrade to newer versions of the module if available or avoid using it for constant-time comparisons of secrets.