Nixpkgs security tracker

Login with GitHub
⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Suggestions search

All statuses
Filter by:
With package: python312Packages.sjcl

Found 1 matching suggestions

View:
Compact
Detailed
Untriaged
Permalink CVE-2026-4258
7.5 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
created 1 month ago Activity log
  • Created suggestion 1 month ago
All versions of the package sjcl are vulnerable to Improper …

All versions of the package sjcl are vulnerable to Improper Verification of Cryptographic Signature due to missing point-on-curve validation in sjcl.ecc.basicKey.publicKey(). An attacker can recover a victim's ECDH private key by sending crafted off-curve public keys and observing ECDH outputs. The dhJavaEc() function directly returns the raw x-coordinate of the scalar multiplication result (no hashing), providing a plaintext oracle without requiring any decryption feedback.

Affected products

sjcl
  • *

Matching in nixpkgs

pkgs.python312Packages.sjcl

Decrypt and encrypt messages compatible to the "Stanford Javascript Crypto Library (SJCL)" message format

pkgs.python313Packages.sjcl

Decrypt and encrypt messages compatible to the "Stanford Javascript Crypto Library (SJCL)" message format

pkgs.python314Packages.sjcl

Decrypt and encrypt messages compatible to the "Stanford Javascript Crypto Library (SJCL)" message format

Package maintainers