Skip to main content

SJCL CVE-2026-4258

| EUVDEUVD-2026-12542 HIGH
Improper Verification of Cryptographic Signature (CWE-347)
2026-03-17 snyk GHSA-2w8x-224x-785m
7.7
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
7.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

9
Analysis Updated
Jun 03, 2026 - 14:58 vuln.today
v3 (cvss_changed)
Source Code Evidence Fetched
Jun 03, 2026 - 14:58 vuln.today
Analysis Updated
Jun 03, 2026 - 14:58 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 03, 2026 - 14:52 vuln.today
cvss_changed
CVSS changed
Jun 03, 2026 - 14:52 NVD
7.5 (HIGH) 7.7 (HIGH)
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 17, 2026 - 08:13 euvd
EUVD-2026-12542
Analysis Generated
Mar 17, 2026 - 08:13 vuln.today
CVE Published
Mar 17, 2026 - 05:00 nvd
HIGH 7.5

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 1,220 npm packages depend on sjcl (353 direct, 870 indirect)

Ecosystem-wide dependent count for version 1.0.9.

DescriptionCVE.org

All versions of the package sjcl are vulnerable to Improper Verification of Cryptographic Signature due to missing point-on-curve validation in sjcl.ecc.basicKey.publicKey(). An attacker can recover a victim's ECDH private key by sending crafted off-curve public keys and observing ECDH outputs. The dhJavaEc() function directly returns the raw x-coordinate of the scalar multiplication result (no hashing), providing a plaintext oracle without requiring any decryption feedback.

AnalysisAI

Private key recovery in Stanford JavaScript Crypto Library (SJCL) ECDH implementation affects all versions prior to 1.0.9, allowing remote unauthenticated attackers to extract a victim's ECDH private key by submitting crafted off-curve public keys and observing the resulting shared-secret outputs. The flaw stems from missing point-on-curve validation in sjcl.ecc.basicKey.publicKey(), combined with dhJavaEc() returning the raw x-coordinate without hashing - providing a direct plaintext oracle. Publicly available exploit code exists (PoC gist by Kr0emer); EPSS is low at 0.02% despite the high confidentiality impact, suggesting limited current opportunistic targeting.

Technical ContextAI

SJCL (Stanford JavaScript Crypto Library, CPE cpe:2.3:a:n/a:sjcl) is a long-standing but deprecated JavaScript cryptography library historically used in browser and Node.js applications for ECDH, AES, and other primitives. The vulnerability is a classic invalid-curve attack: the library's sjcl.ecc.basicKey.publicKey() constructor accepted arbitrary (x,y) coordinates without verifying they lie on the configured elliptic curve, so an attacker could supply a point on a weaker curve whose order has small prime factors. CWE-347 (Improper Verification of Cryptographic Signature) captures the broader 'failure to validate cryptographic input' class - here applied to ECC point validation. Because dhJavaEc() returns the raw x-coordinate of k·P with no KDF/hash, each ECDH operation leaks the victim's private key modulo a small subgroup; repeated queries with carefully chosen malicious points allow CRT-style reconstruction of the full private scalar.

RemediationAI

Vendor-released patch: SJCL 1.0.9 - upgrade the npm 'sjcl' dependency to 1.0.9 or later, which adds a this._point.isValid() check in sjcl.ecc.basicKey.publicKey() that throws sjcl.exception.corrupt('not on the curve!') for off-curve inputs (commit ee30745). Because the maintainer has formally deprecated SJCL, the strongly preferred long-term remediation is to migrate ECDH and other crypto operations to an actively maintained library such as the Web Crypto API (SubtleCrypto), Node.js built-in crypto, or libsodium/noble-curves; this avoids future unpatched issues since SJCL receives no other maintenance. If immediate upgrade is not possible, compensating controls include: validating every external public key against the curve equation before passing it to sjcl.ecc.basicKey.publicKey() (trade-off: requires correct curve math in application code); refusing to perform ECDH with externally supplied keys on the server side (trade-off: breaks any protocol that needs ephemeral peer keys); rate-limiting and logging ECDH endpoints to detect the many oracle queries required (trade-off: detection only, not prevention); and replacing dhJavaEc() raw-x output with an HKDF/SHA-256 derivation so the shared secret is no longer a plaintext oracle (trade-off: breaks interoperability with peers expecting raw output). See https://security.snyk.io/vuln/SNYK-JS-SJCL-15369617 and the upstream advisory in the SJCL README.

CVE-2013-3900 MEDIUM
5.5 Dec 11

Why is Microsoft republishing a CVE from 2013? We are republishing CVE-2013-3900 in the Security Update Guide to update

CVE-2026-48558 CRITICAL POC
9.5 Jun 12

Authentication bypass in SimpleHelp 5.5.15 and prior (plus 6.0 pre-release builds) allows remote unauthenticated attacke

CVE-2025-59718 CRITICAL
9.8 Dec 09

Authentication bypass in Fortinet FortiOS, FortiProxy, and FortiSwitchManager allows unauthenticated remote attackers to

CVE-2025-25291 CRITICAL POC
9.3 Mar 12

ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. Rated critical severity (CVS

CVE-2025-25292 CRITICAL POC
9.3 Mar 12

ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. Rated critical severity (CVS

CVE-2022-25898 CRITICAL POC
9.8 Jul 01

The package jsrsasign before 10.5.25 are vulnerable to Improper Verification of Cryptographic Signature when JWS or JWT

CVE-2024-42004 CRITICAL POC
9.8 Dec 18

A library injection vulnerability exists in Microsoft Teams (work or school) 24046.2813.2770.1094 for macOS. Rated criti

CVE-2024-41145 CRITICAL POC
9.8 Dec 18

A library injection vulnerability exists in the WebView.app helper app of Microsoft Teams (work or school) 24046.2813.27

CVE-2024-41138 CRITICAL POC
9.8 Dec 18

A library injection vulnerability exists in the com.microsoft.teams2.modulehost.app helper app of Microsoft Teams (work

CVE-2024-45409 CRITICAL POC
9.8 Sep 10

The Ruby SAML library is for implementing the client side of a SAML authorization. Rated critical severity (CVSS 9.8), t

CVE-2022-35929 CRITICAL POC
9.8 Aug 04

cosign is a container signing and verification utility. Rated critical severity (CVSS 9.8), this vulnerability is remote

CVE-2022-31053 CRITICAL POC
9.8 Jun 13

Biscuit is an authentication and authorization token for microservices architectures. Rated critical severity (CVSS 9.8)

Vendor StatusVendor

Debian

Bug #924588
node-sjcl
Release Status Fixed Version Urgency
open - -

Share

CVE-2026-4258 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy