CVE-2024-13939
Published: 28 March 2025
Summary
CVE-2024-13939 is a high-severity Observable Timing Discrepancy (CWE-208) vulnerability in Fractal String\. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 44.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SC-31 (Covert Channel Analysis).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely identification, reporting, and correction of the timing side-channel flaw in String::Compare::ConstantTime through patching or upgrading the vulnerable Perl module.
Enables regular vulnerability scanning to identify systems using the vulnerable version of the String::Compare::ConstantTime Perl module affected by CVE-2024-13939.
Mandates analysis and reduction of covert timing channels, directly mitigating the observable timing discrepancy that leaks secret string lengths in the equals function.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The remote unauthenticated nature of the timing side-channel leak in a comparison function used for secrets directly enables exploitation of public-facing applications (T1190). The length disclosure of passwords/tokens/keys facilitates brute force attacks by narrowing the search space (T1110).
NVD Description
String::Compare::ConstantTime for Perl through 0.321 is vulnerable to timing attacks that allow an attacker to guess the length of a secret string. As stated in the documentation: "If the lengths of the strings are different, because equals returns false right…
more
away the size of the secret string may be leaked (but not its contents)." This is similar to CVE-2020-36829
Deeper analysisAI
CVE-2024-13939 is a timing side-channel vulnerability in the String::Compare::ConstantTime Perl module through version 0.321. The flaw arises because the equals function returns false immediately if the input string and secret string have different lengths, enabling attackers to infer the secret string's length through observable timing differences without revealing its contents. This issue is classified under CWE-208 (Observable Timing Discrepancy) and CWE-203 (Observable Discrepancy), with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
Any remote, unauthenticated attacker can exploit this vulnerability over the network with low complexity and no user interaction. By repeatedly submitting strings of varying lengths for comparison against a secret string—such as in authentication tokens, passwords, or cryptographic keys—the attacker measures response times to determine the exact length of the secret, potentially aiding further attacks like brute-forcing or enumeration.
The vulnerability is documented in the module's source code at https://metacpan.org/release/FRACTAL/String-Compare-ConstantTime-0.321/view/lib/String/Compare/ConstantTime.pm#TIMING-SIDE-CHANNEL, which explicitly notes: "If the lengths of the strings are different, because equals returns false right away the size of the secret string may be leaked (but not its contents)." This is similar to CVE-2020-36829, and practitioners should upgrade to newer versions of the module if available or avoid using it for constant-time comparisons of secrets.
Details
- CWE(s)