Medium severity4.3NVD Advisory· Published Mar 13, 2025· Updated Apr 15, 2026

CVE-2020-36843

Description

The implementation of EdDSA in EdDSA-Java (aka ed25519-java) through 0.3.0 exhibits signature malleability and does not satisfy the SUF-CMA (Strong Existential Unforgeability under Chosen Message Attacks) property. This allows attackers to create new valid signatures different from previous signatures for a known message.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
net.i2p.crypto:eddsaMaven	<= 0.3.0	—
net.i2p:i2pMaven	< 0.9.39	0.9.39

Patches

d7d1dcb5399c

Crypto: Ed25519 check for S < L as in RFC 8032

https://github.com/i2p/i2p.i2pzzzMar 12, 2019via ghsa

commit

2 files changed · +8 −1

core/java/src/net/i2p/crypto/eddsa/EdDSABlinding.java+1 −1 modified

@@ -21,7 +21,7 @@ public final class EdDSABlinding {
 
     private static final byte[] ONE = Utils.hexToBytes("0100000000000000000000000000000000000000000000000000000000000000");
     private static final Field FIELD = EdDSANamedCurveTable.getByName("Ed25519").getCurve().getField();
-    private static final BigInteger ORDER = new BigInteger("2").pow(252).add(new BigInteger("27742317777372353535851937790883648493"));
+    public static final BigInteger ORDER = new BigInteger("2").pow(252).add(new BigInteger("27742317777372353535851937790883648493"));
 
     private EdDSABlinding() {}

core/java/src/net/i2p/crypto/eddsa/EdDSAEngine.java+7 −0 modified

@@ -1,6 +1,7 @@
 package net.i2p.crypto.eddsa;
 
 import java.io.ByteArrayOutputStream;
+import java.math.BigInteger;
 import java.nio.ByteBuffer;
 import java.security.InvalidAlgorithmParameterException;
 import java.security.InvalidKeyException;
@@ -18,6 +19,7 @@
 import net.i2p.crypto.eddsa.math.Curve;
 import net.i2p.crypto.eddsa.math.GroupElement;
 import net.i2p.crypto.eddsa.math.ScalarOps;
+import net.i2p.crypto.eddsa.math.bigint.BigIntegerLittleEndianEncoding;
 
 /**
  * Signing and verification for EdDSA.
@@ -300,6 +302,11 @@ private boolean x_engineVerify(byte[] sigBytes) throws SignatureException {
         h = key.getParams().getScalarOps().reduce(h);
 
         byte[] Sbyte = Arrays.copyOfRange(sigBytes, b/8, b/4);
+        // RFC 8032
+        BigInteger Sbigint = (new BigIntegerLittleEndianEncoding()).toBigInteger(Sbyte);
+        if (Sbigint.compareTo(EdDSABlinding.ORDER) >= 0)
+            return false;
+
         // R = SB - H(Rbar,Abar,M)A
         GroupElement R = key.getParams().getB().doubleScalarMultiplyVariableTime(
                 ((EdDSAPublicKey) key).getNegativeA(), h, Sbyte);

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-p53j-g8pw-4w5fghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2020-36843ghsaADVISORY
eprint.iacr.org/2020/1244nvdWEB
github.com/i2p/i2p.i2p/commit/d7d1dcb5399c61cf2916ccc45aa25b0209c88712ghsaWEB
github.com/str4d/ed25519-java/issues/82nvdWEB

News mentions

No linked articles in our index yet.

cvss	0.280
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000