GHSA-2x5j-vhc8-9cwm: 
vulnerability analysis and mitigation

The GHSA-2x5j-vhc8-9cwm vulnerability was discovered in the CIRCL (Cloudflare Interoperable Reusable Cryptographic Library) implementation of FourQ, specifically affecting versions prior to 1.6.1. The vulnerability was published and reviewed on June 10, 2025, and was assigned a low severity rating. The issue affects the github.com/cloudflare/circl Go package and was identified by Alon Livne from Botanica Software Labs (GitHub Advisory).

The vulnerability is classified under CWE-20 and involves two main technical issues: First, the CIRCL implementation of FourQ fails to properly validate user-supplied low-order points during Diffie-Hellman key exchange operations. Second, there is an incorrect point validation in the ScalarMult function that can result in incorrect results in both the isEqual function and the curve point validation (GitHub Advisory).

The vulnerability could potentially allow attackers to force the identity point during Diffie-Hellman key exchange operations, which could compromise session security. Additionally, the incorrect point validation can lead to unreliable results in cryptographic operations (GitHub Advisory).

The vulnerability has been patched in version 1.6.1 of the CIRCL library. Users are advised to upgrade to this version to mitigate the identified issues (CIRCL Release).