basic-auth-connect's callback uses time unsafe string comparison
Description
basic-auth-connect is Connect's Basic Auth middleware in its own module. basic-auth-connect < 1.1.0 uses a timing-unsafe equality comparison that can leak timing information. This issue has been fixed in basic-auth-connect 1.1.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
basic-auth-connect before 1.1.0 uses a timing-unsafe equality comparison that can leak authentication credentials via timing side-channel attacks.
Vulnerability
Overview
basic-auth-connect, a Node.js middleware for HTTP Basic Authentication, prior to version 1.1.0, performs user credential verification using a non-constant-time string comparison (==). This timing-unsafe equality check allows an attacker to deduce valid username/password pairs by measuring the time taken for the comparison to fail, thus leaking authentication information through a timing side channel.
Attack
Vector and Exploitation
The vulnerability is exploitable remotely with low complexity and no required privileges or user interaction [1][2]. An attacker in a position to make repeated HTTP requests to the target service can measure response variations to infer correct characters of the credentials without needing prior authentication. Timing differences exist because the == operator in JavaScript returns early upon mismatched characters, making the comparison duration proportional to the number of matching prefix characters.
Impact and
Mitigation
A successful timing attack can lead to full authentication bypass, granting the attacker access to protected resources with the privileges of the compromised user. This directly impacts confidentiality and integrity of the application [2]. The issue has been fixed in version 1.1.0 by adopting a timing-safe comparison function (tsscmp) for all credential checks [4]. Users are strongly advised to update to the latest version to mitigate the risk.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
basic-auth-connectnpm | < 1.1.0 | 1.1.0 |
Affected products
3- Range: <1.1.0
- expressjs/basic-auth-connectv5Range: < 1.1.0
Patches
1bac1e6a8530efeat: add timing safe equal comparison
2 files changed · +9 −3
index.js+4 −1 modified@@ -1,3 +1,4 @@ +var timingSafeCompare = require('tsscmp'); var http = require('http'); /*! @@ -53,7 +54,9 @@ module.exports = function basicAuth(callback, realm) { if ('string' != typeof password) throw new Error('password argument required'); realm = arguments[2]; callback = function(user, pass){ - return user == username && pass == password; + const usernameValid = timingSafeCompare(user, username); + const passwordValid = timingSafeCompare(pass, password); + return usernameValid && passwordValid; } }
package.json+5 −2 modified@@ -18,12 +18,15 @@ "url": "https://github.com/expressjs/basic-auth-connect/issues" }, "devDependencies": { + "connect": "*", "mocha": "*", "should": "*", - "supertest": "*", - "connect": "*" + "supertest": "*" }, "scripts": { "test": "make test" + }, + "dependencies": { + "tsscmp": "^1.0.6" } }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-7p89-p6hx-q4fwghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-47178ghsaADVISORY
- github.com/expressjs/basic-auth-connect/commit/bac1e6a8530e1efd0028800b9b588a37adb0d203ghsax_refsource_MISCWEB
- github.com/expressjs/basic-auth-connect/security/advisories/GHSA-7p89-p6hx-q4fwghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.