X_Probe

**Name of the Vulnerable Software and Affected Versions** Node.js versions 20.x through 25.x **Description** A flaw exists in Node.js HMAC verification where a non-constant-time comparison is used when validating signatures provided by a user. This could potentially leak timing information proportional to the number of matching bytes. Under specific threat models where high-resolution timing measurements are possible, this behavior may be exploited as a timing oracle to infer HMAC values. Node.js already includes timing-safe comparison primitives used in other parts of the codebase, suggesting this is an oversight rather than an intentional design choice. The issue involves the `HMAC` verification process and the potential for an attacker to infer values through timing attacks. **Recommendations** Update to a newer version of Node.js that addresses this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.