CVE-2024-33851: mdanter/ecc affected by timing vulnerability in cryptographic side-channels

April 28, 2024 (updated November 4, 2024)

phpecc, as used in all versions of mdanter/ecc, as well as paragonie/ecc before 2.0.1, has a branch-based timing leak in Point addition. (This Composer package is also known as phpecc/phpecc on GitHub, previously known as the Matyas Danter ECC library.)

Paragon Initiative Enterprises hard-forked phpecc/phpecc and discovered the issue in the original code, then released v2.0.1 which fixes the vulnerability. The upstream code is no longer maintained and remains vulnerable for all versions.

References

github.com/FriendsOfPHP/security-advisories/blob/master/mdanter/ecc/CVE-2024-33851.yaml
github.com/advisories/GHSA-3494-cfwf-56hw
github.com/paragonie/phpecc/releases/tag/v2.0.0
github.com/paragonie/phpecc/releases/tag/v2.0.1
github.com/phpecc/phpecc/issues/289
nvd.nist.gov/vuln/detail/CVE-2024-33851

Detect and mitigate CVE-2024-33851 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →