GHSA-v432-7f47-9g94: 
Python vulnerability analysis and mitigation

A high-severity vulnerability (GHSA-v432-7f47-9g94) was discovered in PostQuantum-Feldman-VSS, a Python library implementing Feldman's Verifiable Secret Sharing scheme with post-quantum security. The vulnerability affects versions up to and including 0.7.6b0, stemming from the library's dependency on gmpy2 for arbitrary-precision arithmetic. The issue was published on March 15, 2025, and received a CVSS score of 8.7. The vulnerability allows attackers to cause denial-of-service attacks by exploiting gmpy2's behavior when memory allocation fails (GitHub Advisory).

The vulnerability arises from the behavior of the GNU Multiple Precision Arithmetic Library (GMP), which gmpy2 depends on. When GMP fails to allocate memory, it terminates the entire process instead of raising a standard Python exception. Several operations were particularly vulnerable, including large exponentiation (exp, secureexp), multi-exponentiation (efficientmultiexp), matrix operations (securematrixsolve), and polynomial evaluation (evaluatepolynomial). The vulnerability has a Network attack vector, Low attack complexity, requires No privileges, and No user interaction for exploitation (GitHub Advisory).

The primary impact of this vulnerability is on system availability. When successfully exploited, an attacker can cause the Python interpreter to crash by providing carefully crafted inputs that trigger excessive memory allocation attempts. This results in a complete denial of service of the affected application. The vulnerability does not impact system confidentiality or integrity (GitHub Advisory).

Version 0.8.0b2 implements significant mitigations including a new MemoryMonitor class for tracking memory usage, memory safety checks, enhanced input validation, and safer defaults. For versions <= 0.7.6b0, workarounds include limiting input sizes, implementing resource monitoring, thorough input validation, and rate limiting. The recommended action is to upgrade to version 0.8.0b2 or later as soon as possible. Users should also configure appropriate memory limits using the MemoryMonitor and implement robust input validation (GitHub Advisory).