GHSA-FR8M-434R-G3XP

Vulnerability from github – Published: 2025-10-15 18:57 – Updated: 2026-01-22 20:44
VLAI?
Summary
gnark-crypto doesn't range check input values during ECDSA and EdDSA signature deserialization
Details

Impact

During deserialization of ECDSA and EdDSA signatures gnark-crypto did not check that the values are in the range [1, n-1] with n being the corresponding modulus (either base field modulus in case of R in EdDSA, and scalar field modulus in case of s,r in ECDSA and s in EdDSA). As this also allowed zero inputs, then it was possible to craft a signature which lead to null pointer dereference, leading to denial-of-service of an application. This also enabled weak signature malleability when the users assumed uniqueness of the serialized signatures (but not the underlying modulo reduced values).

We are not aware of any users impacted by the bug. The implemented signature schemes in gnark-crypto complement the in-circuit versions in gnark, allowing to have end-to-end tests.

Patches

The issue was patched in PR #449. The fix returns an error during deserialization if the values do not belong to the ranges [1, n-1].

The fix is included in release v0.12.0 and upwards.

Workarounds

Users can manually validate the inputs to be in corresponding ranges when using serialized signatures (or digests of them) as unique keys.

To address the denial-of-service, the users can install hook to recover panics and recover

Resources

Acknowledgement

Lack of range checks leading to signature malleability was reported by Verichains.

Severity ?
5.1 (Medium)
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/consensys/gnark-crypto"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.12.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-44273"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-347"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-10-15T18:57:59Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nDuring deserialization of ECDSA and EdDSA signatures gnark-crypto did not check that the values are in the range `[1, n-1]` with `n` being the corresponding modulus (either base field modulus in case of `R` in EdDSA, and scalar field modulus in case of `s,r` in ECDSA and `s` in EdDSA). As this also allowed zero inputs, then it was possible to craft a signature which lead to null pointer dereference, leading to denial-of-service of an application. This also enabled weak signature malleability when the users assumed uniqueness of the serialized signatures (but not the underlying modulo reduced values).\n\nWe are not aware of any users impacted by the bug. The implemented signature schemes in gnark-crypto complement the in-circuit versions in gnark, allowing to have end-to-end tests.\n\n### Patches\n\nThe issue was patched in PR #449. The fix returns an error during deserialization if the values do not belong to the ranges `[1, n-1]`.\n\nThe fix is included in release v0.12.0 and upwards.\n\n### Workarounds\n\nUsers can manually validate the inputs to be in corresponding ranges when using serialized signatures (or digests of them) as unique keys.\n\nTo address the denial-of-service, the users can install hook to recover panics and recover \n\n### Resources\n\n* [Verichains advisory](https://github.com/advisories/GHSA-9xfq-8j3r-xp5g) for signature malleability.\n* Fix https://github.com/Consensys/gnark-crypto/pull/449\n* [Go blog post \"Defer, Panic, and Recover\"](https://go.dev/blog/defer-panic-and-recover)\n* [gnark v0.12.0](https://github.com/Consensys/gnark-crypto/releases/tag/v0.12.0)\n\n\n### Acknowledgement\n\nLack of range checks leading to signature malleability was reported by [Verichains](https://www.verichains.io/).",
  "id": "GHSA-fr8m-434r-g3xp",
  "modified": "2026-01-22T20:44:35Z",
  "published": "2025-10-15T18:57:59Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Consensys/gnark-crypto/security/advisories/GHSA-fr8m-434r-g3xp"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-44273"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Consensys/gnark-crypto/pull/449"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Consensys/gnark-crypto"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Consensys/gnark-crypto/releases/tag/v0.12.0"
    },
    {
      "type": "WEB",
      "url": "https://go.dev/blog/defer-panic-and-recover"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "gnark-crypto doesn\u0027t range check input values during ECDSA and EdDSA signature deserialization"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.