CVE-2025-8556
LOW3.7EPSS 0.09%CIRCL-Fourq: Missing and wrong validation can lead to incorrect results
發布日:2025/6/10修改日:2026/2/4
描述
### Impact The CIRCL implementation of FourQ fails to validate user-supplied low-order points during Diffie-Hellman key exchange, potentially allowing attackers to force the identity point and compromise session security. Moreover, there is an incorrect point validation in ScalarMult can lead to incorrect results in the isEqual function and if a point is on the curve. ### Patches Version 1.6.1 (https://github.com/cloudflare/circl/tree/v1.6.1) mitigates the identified issues. We acknowledge Alon Livne (Botanica Software Labs) for the reported findings.
受影響套件(3)
- Debian/golang-github-cloudflare-circlfrom 0
- Go/github.com/cloudflare/circlfrom 0, < 1.6.1
- Go/github.com/cloudflare/circlfrom 0, < 1.6.1
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | LOW3.7 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N |
參考連結(9)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-8556
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2025-8556
- PATCHhttps://github.com/cloudflare/circl
- WEBhttps://access.redhat.com/security/cve/CVE-2025-8556
- WEBhttps://bugzilla.redhat.com/show_bug.cgi?id=2371624
- WEBhttps://github.com/cloudflare/circl/security/advisories/GHSA-2x5j-vhc8-9cwm
- WEBhttps://github.com/cloudflare/circl/tree/v1.6.1
- WEBhttps://news.ycombinator.com/item?id=45669593
- WEBhttps://www.botanica.software/blog/cryptographic-issues-in-cloudflares-circl-fourq-implementation