GHSA-4hff-hh47-7788

Suggest an improvement
Source
https://github.com/advisories/GHSA-4hff-hh47-7788
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/07/GHSA-4hff-hh47-7788/GHSA-4hff-hh47-7788.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-4hff-hh47-7788
Withdrawn
2025-07-28T15:46:04Z
Published
2025-07-27T21:32:11Z
Modified
2025-07-28T15:46:04Z
Severity
  • 2.9 (Low) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
Duplicate Advisory: curve25519-dalek has timing variability in `curve25519-dalek`'s `Scalar29::sub`/`Scalar52::sub`
Details

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-x4gp-pqpj-f43q. This link is maintained to preserve external references.

Original Description

The curve25519-dalek crate before 4.1.3 for Rust has a constant-time operation on elliptic curve scalars that is removed by LLVM.

Database specific 
{
    "cwe_ids": [
        "CWE-733"
    ],
    "github_reviewed_at": "2025-07-28T15:46:04Z",
    "nvd_published_at": "2025-07-27T20:15:25Z",
    "severity": "LOW",
    "github_reviewed": true
}
References

Affected packages

crates.io / curve25519-dalek

Package

Name
curve25519-dalek
View open source insights on deps.dev
Purl
pkg:cargo/curve25519-dalek

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.1.3

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/07/GHSA-4hff-hh47-7788/GHSA-4hff-hh47-7788.json"