Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
9Blast Radius
ecosystem impact- 1,220 npm packages depend on sjcl (353 direct, 870 indirect)
Ecosystem-wide dependent count for version 1.0.9.
DescriptionCVE.org
All versions of the package sjcl are vulnerable to Improper Verification of Cryptographic Signature due to missing point-on-curve validation in sjcl.ecc.basicKey.publicKey(). An attacker can recover a victim's ECDH private key by sending crafted off-curve public keys and observing ECDH outputs. The dhJavaEc() function directly returns the raw x-coordinate of the scalar multiplication result (no hashing), providing a plaintext oracle without requiring any decryption feedback.
AnalysisAI
Private key recovery in Stanford JavaScript Crypto Library (SJCL) ECDH implementation affects all versions prior to 1.0.9, allowing remote unauthenticated attackers to extract a victim's ECDH private key by submitting crafted off-curve public keys and observing the resulting shared-secret outputs. The flaw stems from missing point-on-curve validation in sjcl.ecc.basicKey.publicKey(), combined with dhJavaEc() returning the raw x-coordinate without hashing - providing a direct plaintext oracle. Publicly available exploit code exists (PoC gist by Kr0emer); EPSS is low at 0.02% despite the high confidentiality impact, suggesting limited current opportunistic targeting.
Technical ContextAI
SJCL (Stanford JavaScript Crypto Library, CPE cpe:2.3:a:n/a:sjcl) is a long-standing but deprecated JavaScript cryptography library historically used in browser and Node.js applications for ECDH, AES, and other primitives. The vulnerability is a classic invalid-curve attack: the library's sjcl.ecc.basicKey.publicKey() constructor accepted arbitrary (x,y) coordinates without verifying they lie on the configured elliptic curve, so an attacker could supply a point on a weaker curve whose order has small prime factors. CWE-347 (Improper Verification of Cryptographic Signature) captures the broader 'failure to validate cryptographic input' class - here applied to ECC point validation. Because dhJavaEc() returns the raw x-coordinate of k·P with no KDF/hash, each ECDH operation leaks the victim's private key modulo a small subgroup; repeated queries with carefully chosen malicious points allow CRT-style reconstruction of the full private scalar.
RemediationAI
Vendor-released patch: SJCL 1.0.9 - upgrade the npm 'sjcl' dependency to 1.0.9 or later, which adds a this._point.isValid() check in sjcl.ecc.basicKey.publicKey() that throws sjcl.exception.corrupt('not on the curve!') for off-curve inputs (commit ee30745). Because the maintainer has formally deprecated SJCL, the strongly preferred long-term remediation is to migrate ECDH and other crypto operations to an actively maintained library such as the Web Crypto API (SubtleCrypto), Node.js built-in crypto, or libsodium/noble-curves; this avoids future unpatched issues since SJCL receives no other maintenance. If immediate upgrade is not possible, compensating controls include: validating every external public key against the curve equation before passing it to sjcl.ecc.basicKey.publicKey() (trade-off: requires correct curve math in application code); refusing to perform ECDH with externally supplied keys on the server side (trade-off: breaks any protocol that needs ephemeral peer keys); rate-limiting and logging ECDH endpoints to detect the many oracle queries required (trade-off: detection only, not prevention); and replacing dhJavaEc() raw-x output with an HKDF/SHA-256 derivation so the shared secret is no longer a plaintext oracle (trade-off: breaks interoperability with peers expecting raw output). See https://security.snyk.io/vuln/SNYK-JS-SJCL-15369617 and the upstream advisory in the SJCL README.
More in Jwt Attack
View allWhy is Microsoft republishing a CVE from 2013? We are republishing CVE-2013-3900 in the Security Update Guide to update
Authentication bypass in SimpleHelp 5.5.15 and prior (plus 6.0 pre-release builds) allows remote unauthenticated attacke
Authentication bypass in Fortinet FortiOS, FortiProxy, and FortiSwitchManager allows unauthenticated remote attackers to
ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. Rated critical severity (CVS
ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. Rated critical severity (CVS
The package jsrsasign before 10.5.25 are vulnerable to Improper Verification of Cryptographic Signature when JWS or JWT
A library injection vulnerability exists in Microsoft Teams (work or school) 24046.2813.2770.1094 for macOS. Rated criti
A library injection vulnerability exists in the WebView.app helper app of Microsoft Teams (work or school) 24046.2813.27
A library injection vulnerability exists in the com.microsoft.teams2.modulehost.app helper app of Microsoft Teams (work
The Ruby SAML library is for implementing the client side of a SAML authorization. Rated critical severity (CVSS 9.8), t
cosign is a container signing and verification utility. Rated critical severity (CVSS 9.8), this vulnerability is remote
Biscuit is an authentication and authorization token for microservices architectures. Rated critical severity (CVSS 9.8)
Same technique Information Disclosure
View allVendor StatusVendor
Debian
Bug #924588| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| open | - | - |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-12542
GHSA-2w8x-224x-785m