GHSA-2x5j-vhc8-9cwm: CIRCL-Fourq: Missing and wrong validation can lead to incorrect results

June 10, 2025

The CIRCL implementation of FourQ fails to validate user-supplied low-order points during Diffie-Hellman key exchange, potentially allowing attackers to force the identity point and compromise session security.

Moreover, there is an incorrect point validation in ScalarMult can lead to incorrect results in the isEqual function and if a point is on the curve.

References

github.com/advisories/GHSA-2x5j-vhc8-9cwm
github.com/cloudflare/circl
github.com/cloudflare/circl/security/advisories/GHSA-2x5j-vhc8-9cwm
github.com/cloudflare/circl/tree/v1.6.1

Code Behaviors & Features

Detect and mitigate GHSA-2x5j-vhc8-9cwm with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →