Use of a Cryptographic Primitive with a Risky Implementation Affecting postquantum-feldman-vss package, versions [,0.8.0b3)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-PYTHON-POSTQUANTUMFELDMANVSS-9459047
- published16 Mar 2025
- disclosed14 Mar 2025
- creditDavidOsipov
Introduced: 14 Mar 2025
NewCVE-2025-29779 (opens in a new tab)How to fix?
Upgrade PostQuantum-Feldman-VSS to version 0.8.0b3 or higher.
Overview
PostQuantum-Feldman-VSS is a Post-Quantum Secure Feldman's Verifiable Secret Sharing (VSS) in Python
Affected versions of this package are vulnerable to Use of a Cryptographic Primitive with a Risky Implementation due to inadequate countermeasures in secure_redundant_execution. An attacker can bypass redundancy check mechanisms, extract secret polynomial coefficients during share generation or verification, force the acceptance of invalid shares during verification, and manipulate the commitment verification process to accept fraudulent commitments by exploiting the weaknesses in fault injection countermeasures. This is only exploitable if the attacker has physical access to the hardware.
Workaround
This vulnerability can be mitigated by deploying the software in environments with physical security controls, increasing the redundancy count, adding external verification of cryptographic operations, and considering the use of hardware security modules (HSMs) for key operations.