CVE-2025-8556 – github.com/cloudflare/circl

Package

Manager: go
Name: github.com/cloudflare/circl
Vulnerable Version: >=0 <1.6.1

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00024 pctl0.05017

Details

CIRCL-Fourq: Missing and wrong validation can lead to incorrect results ### Impact The CIRCL implementation of FourQ fails to validate user-supplied low-order points during Diffie-Hellman key exchange, potentially allowing attackers to force the identity point and compromise session security. Moreover, there is an incorrect point validation in ScalarMult can lead to incorrect results in the isEqual function and if a point is on the curve. ### Patches Version 1.6.1 (https://github.com/cloudflare/circl/tree/v1.6.1) mitigates the identified issues. We acknowledge Alon Livne (Botanica Software Labs) for the reported findings.

Metadata

Created: 2025-06-10T21:18:33Z
Modified: 2025-08-06T17:41:03Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-2x5j-vhc8-9cwm/GHSA-2x5j-vhc8-9cwm.json
CWE IDs: ["CWE-20", "CWE-347"]
Alternative ID: GHSA-2x5j-vhc8-9cwm
Finding: F184
Auto approve: 1