Miggo Logo
Miggo Vulnerability Database
CVE-2025-22866

CVE-2025-22866: Due to the usage of a variable time instruction in the assembly implementation of an internal...

8.4

CVSS Score
3.1

Basic Information

CVE ID
CVE-2025-22866
GHSA ID
GHSA-3whm-j4xm-rv8x
EPSS Score
0.00469%
CWE
-
Published
2/6/2025
Updated
2/21/2025
KEV Status
No
Technology
-

Technical Details

CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

Could not retrieve commit information from the provided URLs. The Gerrit CL link requires JavaScript, and the GitHub issue does not contain direct commit links. Without the patch details, I cannot confidently identify the vulnerable functions.

The issue mentions that the vulnerability is in the p256NegCond function in the crypto/internal/fips140/nistec package. However, without the patch, I cannot confirm this or provide specific evidence and other details like the exact function signature or file path. Therefore, I am returning an empty list for vulnerable_functions as per the instructions to not hallucinate and only return results with concrete evidence from the patch itself.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*u* to t** us*** o* * v*ri**l* tim* instru*tion in t** *ss*m*ly impl*m*nt*tion o* *n int*rn*l *un*tion, * sm*ll num**r o* *its o* s**r*t s**l*rs *r* l**k** on t** pp***l* *r**it**tur*. *u* to t** w*y t*is *un*tion is us**, w* *o not **li*v* t*is l**k

Reasoning

*oul* not r*tri*v* *ommit in*orm*tion *rom t** provi*** URLs. T** **rrit *L link r*quir*s J*v*S*ript, *n* t** *it*u* issu* *o*s not *ont*in *ir**t *ommit links. Wit*out t** p*t** **t*ils, I **nnot *on*i**ntly i**nti*y t** vuln*r**l* *un*tions. T** i