Snyk has a proof-of-concept or detailed explanation of how to exploit this vulnerability.
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsLearn about Cryptographic Issues vulnerabilities in an interactive lesson.
Start learningUpgrade ed25519-dalek
to version 2.0.0 or higher.
Affected versions of this package are vulnerable to Cryptographic Issues which allows an attacker to extract the private key.
Private and public keys as separate types which can be assembled into a Keypair
, and also provide APIs for serializing and deserializing 64-byte private/public keypairs are inherently unsafe as the public key is one of the inputs used in the deterministic computation of the S
part of the signature, but not in the R
value. An adversary could somehow use the signing function as an oracle that allows arbitrary public keys as input can obtain two signatures for the same message sharing the same R
and only differing on the S
part.