GHSA-v432-7f47-9g94: PostQuantum-Feldman-VSS'S Dependency Vulnerability in gmpy2 Leading to Interpreter Crash

March 17, 2025 (updated March 19, 2025)

Description:

PostQuantum-Feldman-VSS, a Python library implementing Feldman’s Verifiable Secret Sharing scheme with post-quantum security, was vulnerable to denial-of-service attacks in versions up to and including 0.7.6b0. This vulnerability stems from the library’s reliance on the gmpy2 library for arbitrary-precision arithmetic. gmpy2, in turn, depends on the GNU Multiple Precision Arithmetic Library (GMP). GMP, by design, terminates the process when it cannot allocate memory. An attacker could exploit this by providing carefully crafted inputs that cause gmpy2 to attempt to allocate extremely large amounts of memory, leading to a crash of the Python interpreter and thus a denial of service.

Vulnerability Details:

The core issue lies in the behavior of GMP (and thus, gmpy2) when memory allocation fails. Instead of raising a standard Python exception that could be caught and handled, GMP terminates the entire process. This behavior is documented in the GMP and gmpy2 documentation:

References

Detect and mitigate GHSA-v432-7f47-9g94 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →