python-ecdsa vulnerable to Minerva attack on P-256
Description
The ecdsa Python package (versions ≤0.18.0) is vulnerable to the Minerva side-channel attack, allowing lattice-based recovery of the ECDSA private key from a few hundred signatures.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The ecdsa Python package (versions ≤0.18.0) is vulnerable to the Minerva side-channel attack, allowing lattice-based recovery of the ECDSA private key from a few hundred signatures.
Vulnerability (Root Cause)
The ecdsa PyPI package (versions 0.18.0 and prior) is a pure Python implementation of ECC supporting ECDSA, EdDSA, and ECDH [3][4]. It is vulnerable to the Minerva side-channel attack, which exploits the fact that during ECDSA signature generation, the bit-length of the random nonce (scalar) can be inferred through timing or other side channels [1]. Even a small leakage—just the bit-length—is sufficient for full private key recovery when combined with lattice techniques [1]. The Python language itself does not guarantee constant-time execution for comparison or arithmetic operations, making such side channels likely exploitable in interpreted environments [2].
Exploitation
An attacker who can observe a sufficient number of ECDSA signatures generated by the same private key on known messages can mount the Minerva attack. No authentication or network position beyond the ability to measure timing (or other side channels) per signature is required; the attack is passive. According to the Minerva research, as few as 500 simulated signatures or 2100 real smartcard signatures can suffice to recover the full private key using lattice reduction [1]. For the ecdsa Python library, the same class of leakage is expected because the implementation does not use constant-time primitives.
Impact
Full recovery of the ECDSA private key. With the private key, the attacker can forge signatures on arbitrary messages, impersonate the key owner, and undermine any authentication or integrity guarantees provided by ECDSA. The impact is severe because the vulnerability directly undermines the security of the cryptographic primitive.
Mitigation
As of the publication date (2024-01-22), no patched version of the ecdsa package exists [4]. The GitHub repository notes that the library should not be used in production settings [3]. Until a fix is released (likely requiring the use of constant-time scalar multiplication), users are advised to migrate to a different ECDSA library that provides side-channel resistance, or to avoid using the vulnerable versions for signing operations where an attacker can observe multiple signatures.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
ecdsaPyPI | >= 0 | — |
Affected products
5- osv-coords4 versions
< 3.2.2-r0+ 3 more
- (no CPE)range: < 3.2.2-r0
- (no CPE)range: < 24.6.1-r33
- (no CPE)range: < 3.2.2-r0
- (no CPE)range: >= 0
- Range: <= 0.18.0
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
8- github.com/advisories/GHSA-wj6h-64fc-37mpghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-23342ghsaADVISORY
- github.com/tlsfuzzer/python-ecdsa/blob/master/SECURITY.mdghsax_refsource_MISCWEB
- github.com/tlsfuzzer/python-ecdsa/security/advisories/GHSA-wj6h-64fc-37mpghsax_refsource_CONFIRMWEB
- minerva.crocs.fi.muni.czghsaWEB
- minerva.crocs.fi.muni.czmitrex_refsource_MISC
- securitypitfalls.wordpress.com/2018/08/03/constant-time-compare-in-pythonghsaWEB
- securitypitfalls.wordpress.com/2018/08/03/constant-time-compare-in-python/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.