Details

Impact

The CIRCL implementation of FourQ fails to validate user-supplied low-order points during Diffie-Hellman key exchange, potentially allowing attackers to force the identity point and compromise session security.

Moreover, there is an incorrect point validation in ScalarMult can lead to incorrect results in the isEqual function and if a point is on the curve.

Patches

Version 1.6.1 (https://github.com/cloudflare/circl/tree/v1.6.1) mitigates the identified issues.

We acknowledge Alon Livne (Botanica Software Labs) for the reported findings.

Severity

• CVSS Score: 3.7 / 10 (Low)
• Vector String:CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

References

• https://github.com/cloudflare/circl/security/advisories/GHSA-2x5j-vhc8-9cwm
• https://nvd.nist.gov/vuln/detail/CVE-2025-8556
• https://access.redhat.com/security/cve/CVE-2025-8556
• https://bugzilla.redhat.com/show_bug.cgi?id=2371624
• https://github.com/cloudflare/circl
• https://github.com/cloudflare/circl/tree/v1.6.1
• https://news.ycombinator.com/item?id=45669593
• https://www.botanica.software/blog/cryptographic-issues-in-cloudflares-circl-fourq-implementation

This data is provided byOSV and theGitHub Advisory Database (CC-BY 4.0).

Details

CIRCL-Fourq: Missing and wrong validation can lead to incorrect results in github.com/cloudflare/circl

Severity

Unknown

References

• https://github.com/cloudflare/circl/security/advisories/GHSA-2x5j-vhc8-9cwm
• https://github.com/cloudflare/circl/tree/v1.6.1

This data is provided byOSV and theGo Vulnerability Database (CC-BY 4.0).

v1.6.1: CIRCL v1.6.1

Compare Source

CIRCL v1.6.1

• Fixes some point checks on the FourQ curve.
• Hybrid KEM fails on low-order points.

What's Changed

• kem/hybrid: ensure X25519 hybrids fails with low order points by@​Lekensteyn in#​541
• .github: Use native ARM64 builders instead of QEMU by@​Lekensteyn in#​542
• Fixes several errors on twisted Edwards curves. by@​armfazh in#​545
• Release v1.6.1 by@​armfazh in#​546

Full Changelog:cloudflare/circl@v1.6.0...v1.6.1

v1.6.0: CIRCL v1.6.0

Compare Source

CIRCL v1.6.0

New!

• Prio3 Verifiable Distributed Aggregation Function (draft-irtf-cfrg-vdaf).
• X-Wing: general-purpose hybrid post-quantum KEM (draft-connolly-cfrg-xwing-kem)

What's Changed

• Add OIDs to ML-DSA by@​bwesterb in#​519
• Adds Prio3 a set of verifiable distributed aggregation functions. by@​armfazh in#​522
• Run semgrep cronjob only in upstream repository. by@​armfazh in#​526
• X-Wing PQ/T hybrid by@​bwesterb in#​471
• ckem: move crypto/elliptic to crypto/ecdh by@​MingLLuo in#​529
• hpke: Update HPKE code to use ecdh stdlib package. by@​armfazh in#​530
• prio3: Adds polynomial multiplication using NTT by@​armfazh in#​532
• Add Prio3 in readme. by@​armfazh in#​527

New Contributors

• @​MingLLuo made their first contribution in#​529

Full Changelog:cloudflare/circl@v1.5.0...v1.6.0

v1.5.0: CIRCL v1.5.0

Compare Source

CIRCL v1.5.0

New: ML-DSA, Module-Lattice-based Digital Signature Algorithm.

What's Changed

• kem: add X25519MLKEM768 TLS hybrid KEM by@​bwesterb in#​510
• Create semgrep.yml by@​hrushikeshdeshpande in#​514
• repo: Some fixes reported by CodeQL by@​armfazh in#​515
• Add ML-DSA (FIPS204) by@​bwesterb in#​480
• sign/mldsa: Add test for ML-DSA signature verification. by@​armfazh in#​517
• Release v1.5.0 by@​armfazh in#​518

New Contributors

• @​hrushikeshdeshpande made their first contribution in#​514

Full Changelog:cloudflare/circl@v1.4.0...v1.5.0

v1.4.0: CIRCL v1.4.0

Compare Source

CIRCL v1.4.0

Changes

New: ML-KEM compatible with FIPS-203.

Commit History

• eddilithium3: fix typos by@​bwesterb in#​503
• Add ML-KEM (FIPS 203). by@​bwesterb in#​470
• Add ML-KEM decapsulation key check. by@​bwesterb in#​507
• Preparing for release v1.4.0 by@​armfazh in#​508

Full Changelog:cloudflare/circl@v1.3.9...v1.4.0

v1.3.9: CIRCL v1.3.9

Compare Source

CIRCL v1.3.9

Changes:

• Fix bug on BLS12381 decoding elements.

Commit History

• dilithium: fix typo by@​bwesterb in#​498
• bls12381: Detects invalid prefix in G1 and G2 serialized elements by@​armfazh in#​500
• Preparing CIRCL release v1.3.9 by@​armfazh in#​501

Full Changelog:cloudflare/circl@v1.3.8...v1.3.9

v1.3.8: CIRCL v1.3.8

Compare Source

CIRCL v1.3.8

New

• BLS Signatures on top of BLS12-381.
• Adopt faster squaring in pairings.
• BlindRSA compliant with RFC9474.
• (Verifiable) Secret Sharing compatible with the Group interface (elliptic curves).

Notice

• Update on cpabe/tkn20 ciphertexts, read more athttps://github.com/cloudflare/circl/wiki/tkn20-Ciphertext-Format-(v1.3.8)

What's Changed

• Implement Granger-Scott faster squaring in the cyclotomic subgroup. by@​armfazh in#​449
• Updates avo and CIRCL's own dependency. by@​armfazh in#​474
• Updating documentation for OPRF package. by@​armfazh in#​475
• group: removes order method from group interface by@​armfazh in#​356
• zk/dleq: Adding DLEQ proofs for Qn, the subgroup of squares in (Z/nZ)* by@​armfazh in#​451
• Reduce x/crypto and x/sys versions to match Go 1.21 by@​Lekensteyn in#​476
• Bump GitHub Actions versions and use Go 1.22 and 1.21 by@​Lekensteyn in#​477
• Adding rule for constant values by@​armfazh in#​478
• Add BLS signatures over BLS12-381 by@​armfazh in#​446
• group: Implements Shamir and Feldman secret sharing. by@​armfazh in#​348
• blindrsa: add support for all variants of RFC9474 by@​armfazh in#​479
• Explicitly installs Go with version before CodeQL analysis. by@​armfazh in#​481
• Bumps golangci-lint action by@​armfazh in#​485
• ecc/bls12381: Ensures pairing operations don't overwrite their input by@​armfazh in#​494
• Align to thepurego build tag, removingnoasm build tag by@​mattyclarkson in#​492
• cpabe: Serializing ciphertext with 32-bit prefixes. by@​armfazh in#​490

New Contributors

• @​mattyclarkson made their first contribution in#​492

Full Changelog:cloudflare/circl@v1.3.7...v1.3.8