GHSA-2x5j-vhc8-9cwm
Suggest an improvement- Source
- https://github.com/advisories/GHSA-2x5j-vhc8-9cwm
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-2x5j-vhc8-9cwm/GHSA-2x5j-vhc8-9cwm.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-2x5j-vhc8-9cwm
- Aliases
- Related
- Published
- 2025-06-10T21:18:33Z
- Modified
- 2025-06-11T18:27:44.698643Z
- Downstream
- Summary
- CIRCL-Fourq: Missing and wrong validation can lead to incorrect results
- Details
-
Impact
The CIRCL implementation of FourQ fails to validate user-supplied low-order points during Diffie-Hellman key exchange, potentially allowing attackers to force the identity point and compromise session security.
Moreover, there is an incorrect point validation in ScalarMult can lead to incorrect results in the isEqual function and if a point is on the curve.
Patches
Version 1.6.1 (https://github.com/cloudflare/circl/tree/v1.6.1) mitigates the identified issues.
We acknowledge Alon Livne (Botanica Software Labs) for the reported findings.
- Database specific
{ "nvd_published_at": null, "cwe_ids": [ "CWE-20" ], "severity": "LOW", "github_reviewed": true, "github_reviewed_at": "2025-06-10T21:18:33Z" }- References
Affected packages
Go / github.com/cloudflare/circl
Package
- Name
- github.com/cloudflare/circl
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/cloudflare/circl