Sm Crypto
CVE-2026-23967
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
3Blast Radius
ecosystem impact- 501 npm packages depend on sm-crypto (315 direct, 192 indirect)
Ecosystem-wide dependent count for version 0.3.14.
DescriptionGitHub Advisory
sm-crypto provides JavaScript implementations of the Chinese cryptographic algorithms SM2, SM3, and SM4. A signature malleability vulnerability exists in the SM2 signature verification logic of the sm-crypto library prior to version 0.3.14. An attacker can derive a new valid signature for a previously signed message from an existing signature. Version 0.3.14 patches the issue.
AnalysisAI
Sm-Crypto versions up to 0.3.14. is affected by improper verification of cryptographic signature (CVSS 7.5).
Technical ContextAI
This vulnerability (CWE-347: Improper Verification of Cryptographic Signature) affects Sm-Crypto. sm-crypto provides JavaScript implementations of the Chinese cryptographic algorithms SM2, SM3, and SM4. A signature malleability vulnerability exists in the SM2 signature verification logic of the sm-crypto library prior to version 0.3.14. An attacker can derive a new valid signature for a previously signed message from an existing signature. Version 0.3.14 patches the issue.
RemediationAI
Monitor vendor advisories for a patch. Restrict network access to the affected service where possible.
The sm-crypto JavaScript library has a private key recovery vulnerability in its SM2 implementation, allowing attackers
SM2 signature forgery in sm-crypto prior to version 0.4.0 allows unauthenticated attackers to create valid signatures fo
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-qv7w-v773-3xqm