2.9

CVSS Score

3.1

Basic Information

CVE ID

GHSA ID

GHSA-4hff-hh47-7788

EPSS Score

CWE

CWE-733

Published

7/27/2025

Updated

7/28/2025

KEV Status

Technology

Rust

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-4hff-hh47-7788

GHSA-4hff-hh47-7788: Duplicate Advisory: curve25519-dalek has timing variability in `curve25519-dalek`'s `Scalar29::sub`/`Scalar52::sub`

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-x4gp-pqpj-f43q. This link is maintained to preserve external references.

Original Description

The curve25519-dalek crate before 4.1.3 for Rust has a constant-time operation on elliptic curve scalars that is removed by LLVM.

(GitHub Advisory)

2.9

CVSS Score

3.1

Basic Information

CVE ID

GHSA ID

GHSA-4hff-hh47-7788

EPSS Score

CWE

CWE-733

Published

7/27/2025

Updated

7/28/2025

KEV Status

Technology

Rust

Technical Details

CVSS Vector

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
curve25519-dalek	rust	< 4.1.3	4.1.3

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability, identified as GHSA-4hff-hh47-7788, is a timing side-channel issue in the curve25519-dalek crate. The root cause is a compiler optimization in LLVM that introduces a data-dependent branch in the scalar subtraction functions, specifically Scalar52::sub and, as mentioned in the advisory, Scalar29::sub. This timing variability could allow an attacker to leak secret information. The analysis of the provided patch 8f38163e5cd6ddb048b0bd5a3737927b79e6d80f confirms the vulnerability in Scalar52::sub located in curve25519-dalek/src/backend/serial/u64/scalar.rs. The patch mitigates this by introducing a black_box function using a volatile read, which acts as an optimization barrier and prevents the compiler from introducing the vulnerable branch. While the advisory also mentions Scalar29::sub, the provided commit only contains the fix for Scalar52::sub. A security engineer should ensure that all instances of this pattern are patched in their environment, as other scalar sizes might be affected as well.

Vulnerable functions

Scalar52::sub

curve25519-dalek/src/backend/serial/u64/scalar.rs

The function `Scalar52::sub` was vulnerable to a timing side-channel attack. The compiler (LLVM) was optimizing a calculation involving a mask (`underflow_mask`) by introducing a conditional branch. This branch would cause the function's execution time to vary depending on the value of the mask, which is derived from secret data. An attacker could potentially use this timing difference to leak information about the secret scalar. The fix introduces a `black_box` function, which acts as an optimization barrier, preventing the compiler from creating the data-dependent branch.

WAF Protection Rules

WAF Rule

### *upli**t* **visory T*is **visory **s ***n wit**r*wn ****us* it is * *upli**t* o* **S*-x**p-pqpj-***q. T*is link is m*int*in** to pr*s*rv* *xt*rn*l r***r*n**s. ### Ori*in*l **s*ription T** *urv******-**l*k *r*t* ***or* *.*.* *or Rust **s * *onst*

Reasoning

T** vuln*r**ility, i**nti*i** *s **S*-****-****-****, is * timin* si**-***nn*l issu* in t** `*urv******-**l*k` *r*t*. T** root **us* is * *ompil*r optimiz*tion in LLVM t**t intro*u**s * **t*-**p*n**nt *r*n** in t** s**l*r su*tr**tion *un*tions, sp**i

2.9

Basic Information

Concerned about an active attack path?

GHSA-4hff-hh47-7788: Duplicate Advisory: curve25519-dalek has timing variability in `curve25519-dalek`'s `Scalar29::sub`/`Scalar52::sub`

Duplicate Advisory

Original Description

2.9

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI