Common Weakness Enumeration

CWE-345

Discouraged

Insufficient Verification of Data Authenticity

Abstraction: Class · Status: Draft

The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.

939 vulnerabilities reference this CWE, most recent first.

GHSA-V43Q-XFHP-F928

Vulnerability from github – Published: 2024-08-13 18:31 – Updated: 2024-08-13 18:31
VLAI
Details

Windows Print Spooler Elevation of Privilege Vulnerability

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-38198"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-345"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-08-13T18:15:29Z",
    "severity": "HIGH"
  },
  "details": "Windows Print Spooler Elevation of Privilege Vulnerability",
  "id": "GHSA-v43q-xfhp-f928",
  "modified": "2024-08-13T18:31:17Z",
  "published": "2024-08-13T18:31:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38198"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38198"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V4H4-747P-QJGX

Vulnerability from github – Published: 2026-06-28 09:31 – Updated: 2026-06-28 09:31
VLAI
Details

A flaw has been found in arc53 DocsGPT up to 0.18.0. The affected element is the function encrypt_credentials of the file application/security/encryption.py of the component Credential Storage. This manipulation causes insufficient verification of data authenticity. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is described as difficult. The exploit has been published and may be used. The pull request to fix this issue awaits acceptance.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-13483"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-345"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-28T07:16:21Z",
    "severity": "LOW"
  },
  "details": "A flaw has been found in arc53 DocsGPT up to 0.18.0. The affected element is the function encrypt_credentials of the file application/security/encryption.py of the component Credential Storage. This manipulation causes insufficient verification of data authenticity. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is described as difficult. The exploit has been published and may be used. The pull request to fix this issue awaits acceptance.",
  "id": "GHSA-v4h4-747p-qjgx",
  "modified": "2026-06-28T09:31:48Z",
  "published": "2026-06-28T09:31:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-13483"
    },
    {
      "type": "WEB",
      "url": "https://github.com/arc53/DocsGPT/issues/2503"
    },
    {
      "type": "WEB",
      "url": "https://github.com/arc53/DocsGPT/pull/2331"
    },
    {
      "type": "WEB",
      "url": "https://github.com/arc53/DocsGPT"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/cve/CVE-2026-13483"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/submit/837646"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/vuln/374480"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/vuln/374480/cti"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-V5H4-982G-572V

Vulnerability from github – Published: 2023-05-31 03:30 – Updated: 2026-04-08 18:32
VLAI
Details

The Wordapp plugin for WordPress is vulnerable to authorization bypass due to an use of insufficiently unique cryptographic signature on the 'wa_pdx_op_config_set' function in versions up to, and including, 1.5.0. This makes it possible for unauthenticated attackers to the plugin to change the 'validation_token' in the plugin config, providing access to the plugin's remote control functionalities, such as creating an admin access URL, which can be used for privilege escalation.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-2987"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-345"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-05-31T03:15:09Z",
    "severity": "CRITICAL"
  },
  "details": "The Wordapp plugin for WordPress is vulnerable to authorization bypass due to an use of insufficiently unique cryptographic signature on the \u0027wa_pdx_op_config_set\u0027 function in versions up to, and including, 1.5.0. This makes it possible for unauthenticated attackers to the plugin to change the \u0027validation_token\u0027 in the plugin config, providing access to the plugin\u0027s remote control functionalities, such as creating an admin access URL, which can be used for privilege escalation.",
  "id": "GHSA-v5h4-982g-572v",
  "modified": "2026-04-08T18:32:05Z",
  "published": "2023-05-31T03:30:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2987"
    },
    {
      "type": "WEB",
      "url": "https://lana.report/publication/6e779e9a-e0f9-4102-9f0b-ad46e9c4533f"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/wordapp/trunk/includes/access.php#L28"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/wordapp/trunk/includes/config.php#L59"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/wordapp/trunk/includes/pdx.php#L64"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/3063322/wordapp"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/80440bfa-4a02-4441-bbdb-52d7dd065a9d?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V62Q-78F9-67XV

Vulnerability from github – Published: 2022-03-19 00:00 – Updated: 2022-03-30 00:01
VLAI
Details

Syltek application before its 10.22.00 version, does not correctly check that a product ID has a valid payment associated to it. This could allow an attacker to forge a request and bypass the payment system by marking items as payed without any verification.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-4031"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-345"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-03-18T18:15:00Z",
    "severity": "HIGH"
  },
  "details": "Syltek application before its 10.22.00 version, does not correctly check that a product ID has a valid payment associated to it. This could allow an attacker to forge a request and bypass the payment system by marking items as payed without any verification.",
  "id": "GHSA-v62q-78f9-67xv",
  "modified": "2022-03-30T00:01:24Z",
  "published": "2022-03-19T00:00:59Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4031"
    },
    {
      "type": "WEB",
      "url": "https://www.incibe-cert.es/en/early-warning/security-advisories/syltek-insufficient-verification-data-authenticity"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V7PC-74H8-XQ2H

Vulnerability from github – Published: 2025-02-10 21:52 – Updated: 2025-02-10 21:52
VLAI
Summary
Hickory DNS failure to verify self-signed RRSIG for DNSKEYs
Details

Summary

The DNSSEC validation routines treat entire RRsets of DNSKEY records as trusted once they have established trust in only one of the DNSKEYs. As a result, if a zone includes a DNSKEY with a public key that matches a configured trust anchor, all keys in that zone will be trusted to authenticate other records in the zone. There is a second variant of this vulnerability involving DS records, where an authenticated DS record covering one DNSKEY leads to trust in signatures made by an unrelated DNSKEY in the same zone.

Details

verify_dnskey_rrset() will return Ok(true) if any record's public key matches a trust anchor. This results in verify_rrset() returning a Secure proof. This ultimately results in successfully verifying a response containing DNSKEY records. verify_default_rrset() looks up DNSKEY records by calling handle.lookup(), which takes the above code path. There's a comment following this that says "DNSKEYs were already validated by the inner query in the above lookup", but this is not the case. To fully verify the whole RRset of DNSKEYs, it would be necessary to check self-signatures by the trusted key over the other keys. Later in verify_default_rrset(), verify_rrset_with_dnskey() is called multiple times with different keys and signatures, and if any call succeeds, then its Proof is returned.

Similarly, verify_dnskey_rrset() returns Ok(false) if any DNSKEY record is covered by a DS record. A comment says "If all the keys are valid, then we are secure", but this is only checking that one key is authenticated by a DS in the parent zone's delegation point. This time, after control flow returns to verify_rrset(), it will call verify_default_rrset(). The special handling for DNSKEYs in verify_default_rrset() will then call verify_rrset_with_dnskey() using each KSK DNSKEY record, and if one call succeeds, return its Proof. If there are multiple KSK DNSKEYs in the RRset, then this leads to another authentication break. We need to either pass the authenticated DNSKEYs from the DS covering check to the RRSIG validation, or we need to perform this RRSIG validation of the DNSKEY RRset inside verify_dnskey_rrset() and cut verify_default_rrset() out of DNSKEY RRset validation entirely.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "hickory-proto"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.8.0"
            },
            {
              "fixed": "0.24.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "hickory-proto"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.25.0-alpha.1"
            },
            {
              "fixed": "0.25.0-alpha.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-345"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-02-10T21:52:28Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "Summary\n\nThe DNSSEC validation routines treat entire RRsets of DNSKEY records as trusted once they have established trust in only one of the DNSKEYs. As a result, if a zone includes a DNSKEY with a public key that matches a configured trust anchor, all keys in that zone will be trusted to authenticate other records in the zone. There is a second variant of this vulnerability involving DS records, where an authenticated DS record covering one DNSKEY leads to trust in signatures made by an unrelated DNSKEY in the same zone.\n\nDetails\n\nverify_dnskey_rrset() will return Ok(true) if any record\u0027s public key matches a trust anchor. This results in verify_rrset() returning a Secure proof. This ultimately results in successfully verifying a response containing DNSKEY records. verify_default_rrset() looks up DNSKEY records by calling handle.lookup(), which takes the above code path. There\u0027s a comment following this that says \"DNSKEYs were already validated by the inner query in the above lookup\", but this is not the case. To fully verify the whole RRset of DNSKEYs, it would be necessary to check self-signatures by the trusted key over the other keys. Later in verify_default_rrset(), verify_rrset_with_dnskey() is called multiple times with different keys and signatures, and if any call succeeds, then its Proof is returned.\n\nSimilarly, verify_dnskey_rrset() returns Ok(false) if any DNSKEY record is covered by a DS record. A comment says \"If all the keys are valid, then we are secure\", but this is only checking that one key is authenticated by a DS in the parent zone\u0027s delegation point. This time, after control flow returns to verify_rrset(), it will call verify_default_rrset(). The special handling for DNSKEYs in verify_default_rrset() will then call verify_rrset_with_dnskey() using each KSK DNSKEY record, and if one call succeeds, return its Proof. If there are multiple KSK DNSKEYs in the RRset, then this leads to another authentication break. We need to either pass the authenticated DNSKEYs from the DS covering check to the RRSIG validation, or we need to perform this RRSIG validation of the DNSKEY RRset inside verify_dnskey_rrset() and cut verify_default_rrset() out of DNSKEY RRset validation entirely.",
  "id": "GHSA-v7pc-74h8-xq2h",
  "modified": "2025-02-10T21:52:29Z",
  "published": "2025-02-10T21:52:28Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/hickory-dns/hickory-dns/security/advisories/GHSA-37wc-h8xc-5hc4"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/hickory-dns/hickory-dns"
    },
    {
      "type": "WEB",
      "url": "https://rustsec.org/advisories/RUSTSEC-2025-0006.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Hickory DNS failure to verify self-signed RRSIG for DNSKEYs"
}

GHSA-VC3V-PPC7-V486

Vulnerability from github – Published: 2023-11-14 22:21 – Updated: 2024-11-22 20:43
VLAI
Summary
vantage6-server node accepts non-whitelisted algorithms from malicious server
Details

Impact

A node does not check if an image is allowed to run if a parent_id is set. A malicious party that breaches the server may modify it to set a fake parent_id and send a task of a non-whitelisted algorithm. The node will then execute it because the parent_id that is set prevents checks from being run. Relevant node code here

This impacts all servers that are breached by an expert user

Patches

Fixed in v4.1.2

Workarounds

None

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "vantage6-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.1.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "vantage6-node"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.1.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-47631"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-345",
      "CWE-358"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-11-14T22:21:57Z",
    "nvd_published_at": "2023-11-14T21:15:13Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nA node does not check if an image is allowed to run if a `parent_id` is set. A malicious party that breaches the server may modify it to set a fake `parent_id` and send a task of a non-whitelisted algorithm. The node will then execute it because the `parent_id` that is set prevents checks from being run. Relevant node code [here](https://github.com/vantage6/vantage6/blob/version/4.1.1/vantage6-node/vantage6/node/docker/docker_manager.py#L265-L268)\n\nThis impacts all servers that are breached by an expert user\n\n### Patches\nFixed in v4.1.2\n\n### Workarounds\nNone\n\n",
  "id": "GHSA-vc3v-ppc7-v486",
  "modified": "2024-11-22T20:43:06Z",
  "published": "2023-11-14T22:21:57Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/vantage6/vantage6/security/advisories/GHSA-vc3v-ppc7-v486"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-47631"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vantage6/vantage6/commit/bf83521eb12fa80aa5fc92ef1692010a9a7f8243"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/vantage6-node/PYSEC-2023-303.yaml"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/vantage6-server/PYSEC-2023-304.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/vantage6/vantage6"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vantage6/vantage6/blob/version/4.1.1/vantage6-node/vantage6/node/docker/docker_manager.py#L265-L268"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "vantage6-server node accepts non-whitelisted algorithms from malicious server"
}

GHSA-VF28-R8MX-J24P

Vulnerability from github – Published: 2022-12-22 21:30 – Updated: 2025-04-15 21:31
VLAI
Details

When loading a script with Subresource Integrity, attackers with an injection capability could trigger the reuse of previously cached entries with incorrect, different integrity metadata. This vulnerability affects Firefox < 103.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-36315"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-345"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-12-22T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "When loading a script with Subresource Integrity, attackers with an injection capability could trigger the reuse of previously cached entries with incorrect, different integrity metadata. This vulnerability affects Firefox \u003c 103.",
  "id": "GHSA-vf28-r8mx-j24p",
  "modified": "2025-04-15T21:31:26Z",
  "published": "2022-12-22T21:30:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36315"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1762520"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2022-28"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VGQ8-MC5M-6W55

Vulnerability from github – Published: 2026-03-17 18:30 – Updated: 2026-03-17 18:30
VLAI
Details

JetKVM prior to 0.5.4 does not verify the authenticity of downloaded firmware files. An attacker-in-the-middle or a compromised update server could modify the firmware and the corresponding SHA256 hash to pass verification.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-32294"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-345"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-17T18:16:16Z",
    "severity": "HIGH"
  },
  "details": "JetKVM prior to 0.5.4 does not verify the authenticity of downloaded firmware files. An attacker-in-the-middle or a compromised update server could modify the firmware and the corresponding SHA256 hash to pass verification.",
  "id": "GHSA-vgq8-mc5m-6w55",
  "modified": "2026-03-17T18:30:33Z",
  "published": "2026-03-17T18:30:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32294"
    },
    {
      "type": "WEB",
      "url": "https://eclypsium.com/blog/kvm-devices-the-keys-to-your-kingdom-are-hanging-on-the-network"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jetkvm/kvm/releases/tag/release%2F0.5.4"
    },
    {
      "type": "WEB",
      "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-26-076-01.json"
    },
    {
      "type": "WEB",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-32294"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:N/VI:H/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-VH73-V9G2-4Q7C

Vulnerability from github – Published: 2022-05-24 22:00 – Updated: 2022-05-24 22:00
VLAI
Details

Lack of root file system integrity checking in Fortinet FortiOS VM application images all versions below 6.0.5 may allow attacker to implant malicious programs into the installing image by reassembling the image through specific methods.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-5587"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20",
      "CWE-345"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-06-04T22:29:00Z",
    "severity": "MODERATE"
  },
  "details": "Lack of root file system integrity checking in Fortinet FortiOS VM application images all versions below 6.0.5 may allow attacker to implant malicious programs into the installing image by reassembling the image through specific methods.",
  "id": "GHSA-vh73-v9g2-4q7c",
  "modified": "2022-05-24T22:00:05Z",
  "published": "2022-05-24T22:00:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-5587"
    },
    {
      "type": "WEB",
      "url": "https://fortiguard.com/advisory/FG-IR-19-017"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/108628"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VJ64-RJF3-W3V7

Vulnerability from github – Published: 2026-05-21 20:24 – Updated: 2026-06-11 14:05
VLAI
Summary
Plonky3 MultiField32Challenger: transcript malleability and challenge entropy loss
Details

Impact

  • Key: challenger/src/multi_field_challenger.rs | MultiField32Challenger::duplexing | transcript_malleability
  • Affected files: challenger/src/multi_field_challenger.rs, field/src/helpers.rs
  • Violated invariant: The Fiat-Shamir sponge must bind challenges to the exact sequence of observed field elements. Specifically: (1) absorption must be injective — distinct observation streams must produce distinct sponge states, (2) squeezing must be injective — distinct PF rate cells must yield distinct F challenge sequences, and (3) all bits of each absorbed PF element must influence the sponge state.

  • Exploit scenario: An attacker controlling prover-side observations can craft distinct transcripts that produce identical challenges, breaking the binding property of Fiat-Shamir. Three independent attack vectors exist:

  • Partial-chunk aliasing (absorb): duplexing() packs input_buffer.chunks(num_f_elms) via reduce_32 (base 2^32) with no length marker and no zeroing of unused rate slots. Observing [x] followed by a sample yields the same sponge state as [x, 0, ..., 0] (padded to num_f_elms) followed by a sample, since reduce_32 treats missing high limbs identically to explicit zeros. The attacker can extend or truncate the tail of any observation batch without changing future challenges.

  • Non-injective squeeze (squeeze): split_32 decomposes each PF rate cell into base-2^64 digits and maps each through TF::from_u64, which reduces mod F::ORDER (~2^31). Two distinct PF values whose base-2^64 digits differ only in their upper 33 bits produce identical F challenge sequences. This weakens the entropy of sampled challenges and can enable selective forgery when the attacker can influence the sponge state pre-squeeze.

  • High-bit truncation (observe Hash/MerkleCap): num_f_elms = PF::bits() / 64 computes the number of F limbs per PF element. For BN254 (254-bit field), this yields 3 limbs covering 192 bits — the top 62 bits of every digest word are silently discarded. An attacker can find two distinct BN254 hash digests that differ only in bits 192–253 and observe them interchangeably without affecting challenges.

  • Evidence: In duplexing(), the absorb path (reduce_32 with base 2^32) and the squeeze path (split_32 with base 2^64) use incompatible radices with no length domain separation. reduce_32 is a plain Horner fold acc * 2^32 + digit with no padding or tag, so trailing zeros are free. split_32 extracts u64 digits and casts each via TF::from_u64, which performs modular reduction, collapsing the top bits. The limb count PF::bits() / 64 is a floor division that silently drops all bits beyond 64 * num_f_elms for fields whose bit-width is not a multiple of 64.

Patches

Included in v0.4.3 and v0.5.3

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "p3-challenger"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.4.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "p3-challenger"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.5.0"
            },
            {
              "fixed": "0.5.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-46654"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1240",
      "CWE-345"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-21T20:24:21Z",
    "nvd_published_at": "2026-06-10T22:16:59Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\n- **Key**: `challenger/src/multi_field_challenger.rs` | `MultiField32Challenger::duplexing` | `transcript_malleability`\n- **Affected files**: `challenger/src/multi_field_challenger.rs`, `field/src/helpers.rs`\n- **Violated invariant**: The Fiat-Shamir sponge must bind challenges to the exact sequence of observed field elements. Specifically: (1) absorption must be injective \u2014 distinct observation streams must produce distinct sponge states, (2) squeezing must be injective \u2014 distinct PF rate cells must yield distinct F challenge sequences, and (3) all bits of each absorbed PF element must influence the sponge state.\n\n- **Exploit scenario**: An attacker controlling prover-side observations can craft distinct transcripts that produce identical challenges, breaking the binding property of Fiat-Shamir. Three independent attack vectors exist:\n\n  1. **Partial-chunk aliasing (absorb)**: `duplexing()` packs `input_buffer.chunks(num_f_elms)` via `reduce_32` (base 2^32) with no length marker and no zeroing of unused rate slots. Observing `[x]` followed by a sample yields the same sponge state as `[x, 0, ..., 0]` (padded to `num_f_elms`) followed by a sample, since `reduce_32` treats missing high limbs identically to explicit zeros. The attacker can extend or truncate the tail of any observation batch without changing future challenges.\n\n  2. **Non-injective squeeze (squeeze)**: `split_32` decomposes each PF rate cell into base-2^64 digits and maps each through `TF::from_u64`, which reduces mod `F::ORDER` (~2^31). Two distinct PF values whose base-2^64 digits differ only in their upper 33 bits produce identical F challenge sequences. This weakens the entropy of sampled challenges and can enable selective forgery when the attacker can influence the sponge state pre-squeeze.\n\n  3. **High-bit truncation (observe Hash/MerkleCap)**: `num_f_elms = PF::bits() / 64` computes the number of F limbs per PF element. For BN254 (254-bit field), this yields 3 limbs covering 192 bits \u2014 the top 62 bits of every digest word are silently discarded. An attacker can find two distinct BN254 hash digests that differ only in bits 192\u2013253 and observe them interchangeably without affecting challenges.\n\n- **Evidence**: In `duplexing()`, the absorb path (`reduce_32` with base 2^32) and the squeeze path (`split_32` with base 2^64) use incompatible radices with no length domain separation. `reduce_32` is a plain Horner fold `acc * 2^32 + digit` with no padding or tag, so trailing zeros are free. `split_32` extracts u64 digits and casts each via `TF::from_u64`, which performs modular reduction, collapsing the top bits. The limb count `PF::bits() / 64` is a floor division that silently drops all bits beyond `64 * num_f_elms` for fields whose bit-width is not a multiple of 64.\n\n### Patches\n\nIncluded in v0.4.3 and v0.5.3",
  "id": "GHSA-vj64-rjf3-w3v7",
  "modified": "2026-06-11T14:05:27Z",
  "published": "2026-05-21T20:24:21Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Plonky3/Plonky3/security/advisories/GHSA-vj64-rjf3-w3v7"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46654"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Plonky3/Plonky3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Plonky3 MultiField32Challenger: transcript malleability and challenge entropy loss"
}

No mitigation information available for this CWE.

CAPEC-111: JSON Hijacking (aka JavaScript Hijacking)

An attacker targets a system that uses JavaScript Object Notation (JSON) as a transport mechanism between the client and the server (common in Web 2.0 systems using AJAX) to steal possibly confidential information transmitted from the server back to the client inside the JSON object by taking advantage of the loophole in the browser's Same Origin Policy that does not prohibit JavaScript from one website to be included and executed in the context of another website.

CAPEC-141: Cache Poisoning

An attacker exploits the functionality of cache technologies to cause specific data to be cached that aids the attackers' objectives. This describes any attack whereby an attacker places incorrect or harmful material in cache. The targeted cache can be an application's cache (e.g. a web browser cache) or a public cache (e.g. a DNS or ARP cache). Until the cache is refreshed, most applications or clients will treat the corrupted cache value as valid. This can lead to a wide range of exploits including redirecting web browsers towards sites that install malware and repeatedly incorrect calculations based on the incorrect value.

CAPEC-142: DNS Cache Poisoning

A domain name server translates a domain name (such as www.example.com) into an IP address that Internet hosts use to contact Internet resources. An adversary modifies a public DNS cache to cause certain names to resolve to incorrect addresses that the adversary specifies. The result is that client applications that rely upon the targeted cache for domain name resolution will be directed not to the actual address of the specified domain name but to some other address. Adversaries can use this to herd clients to sites that install malware on the victim's computer or to masquerade as part of a Pharming attack.

CAPEC-148: Content Spoofing

An adversary modifies content to make it contain something other than what the original content producer intended while keeping the apparent source of the content unchanged. The term content spoofing is most often used to describe modification of web pages hosted by a target to display the adversary's content instead of the owner's content. However, any content can be spoofed, including the content of email messages, file transfers, or the content of other network communication protocols. Content can be modified at the source (e.g. modifying the source file for a web page) or in transit (e.g. intercepting and modifying a message between the sender and recipient). Usually, the adversary will attempt to hide the fact that the content has been modified, but in some cases, such as with web site defacement, this is not necessary. Content Spoofing can lead to malware exposure, financial fraud (if the content governs financial transactions), privacy violations, and other unwanted outcomes.

CAPEC-218: Spoofing of UDDI/ebXML Messages

An attacker spoofs a UDDI, ebXML, or similar message in order to impersonate a service provider in an e-business transaction. UDDI, ebXML, and similar standards are used to identify businesses in e-business transactions. Among other things, they identify a particular participant, WSDL information for SOAP transactions, and supported communication protocols, including security protocols. By spoofing one of these messages an attacker could impersonate a legitimate business in a transaction or could manipulate the protocols used between a client and business. This could result in disclosure of sensitive information, loss of message integrity, or even financial fraud.

CAPEC-384: Application API Message Manipulation via Man-in-the-Middle

An attacker manipulates either egress or ingress data from a client within an application framework in order to change the content of messages. Performing this attack can allow the attacker to gain unauthorized privileges within the application, or conduct attacks such as phishing, deceptive strategies to spread malware, or traditional web-application attacks. The techniques require use of specialized software that allow the attacker to perform adversary-in-the-middle (CAPEC-94) communications between the web browser and the remote system. Despite the use of AiTH software, the attack is actually directed at the server, as the client is one node in a series of content brokers that pass information along to the application framework. Additionally, it is not true "Adversary-in-the-Middle" attack at the network layer, but an application-layer attack the root cause of which is the master applications trust in the integrity of code supplied by the client.

CAPEC-385: Transaction or Event Tampering via Application API Manipulation

An attacker hosts or joins an event or transaction within an application framework in order to change the content of messages or items that are being exchanged. Performing this attack allows the attacker to manipulate content in such a way as to produce messages or content that look authentic but may contain deceptive links, substitute one item or another, spoof an existing item and conduct a false exchange, or otherwise change the amounts or identity of what is being exchanged. The techniques require use of specialized software that allow the attacker to man-in-the-middle communications between the web browser and the remote system in order to change the content of various application elements. Often, items exchanged in game can be monetized via sales for coin, virtual dollars, etc. The purpose of the attack is for the attack to scam the victim by trapping the data packets involved the exchange and altering the integrity of the transfer process.

CAPEC-386: Application API Navigation Remapping

An attacker manipulates either egress or ingress data from a client within an application framework in order to change the destination and/or content of links/buttons displayed to a user within API messages. Performing this attack allows the attacker to manipulate content in such a way as to produce messages or content that looks authentic but contains links/buttons that point to an attacker controlled destination. Some applications make navigation remapping more difficult to detect because the actual HREF values of images, profile elements, and links/buttons are masked. One example would be to place an image in a user's photo gallery that when clicked upon redirected the user to an off-site location. Also, traditional web vulnerabilities (such as CSRF) can be constructed with remapped buttons or links. In some cases navigation remapping can be used for Phishing attacks or even means to artificially boost the page view, user site reputation, or click-fraud.

CAPEC-387: Navigation Remapping To Propagate Malicious Content

An adversary manipulates either egress or ingress data from a client within an application framework in order to change the content of messages and thereby circumvent the expected application logic.

CAPEC-388: Application API Button Hijacking

An attacker manipulates either egress or ingress data from a client within an application framework in order to change the destination and/or content of buttons displayed to a user within API messages. Performing this attack allows the attacker to manipulate content in such a way as to produce messages or content that looks authentic but contains buttons that point to an attacker controlled destination.

CAPEC-665: Exploitation of Thunderbolt Protection Flaws

An adversary leverages a firmware weakness within the Thunderbolt protocol, on a computing device to manipulate Thunderbolt controller firmware in order to exploit vulnerabilities in the implementation of authorization and verification schemes within Thunderbolt protection mechanisms. Upon gaining physical access to a target device, the adversary conducts high-level firmware manipulation of the victim Thunderbolt controller SPI (Serial Peripheral Interface) flash, through the use of a SPI Programing device and an external Thunderbolt device, typically as the target device is booting up. If successful, this allows the adversary to modify memory, subvert authentication mechanisms, spoof identities and content, and extract data and memory from the target device. Currently 7 major vulnerabilities exist within Thunderbolt protocol with 9 attack vectors as noted in the Execution Flow.

CAPEC-701: Browser in the Middle (BiTM)

An adversary exploits the inherent functionalities of a web browser, in order to establish an unnoticed remote desktop connection in the victim's browser to the adversary's system. The adversary must deploy a web client with a remote desktop session that the victim can access.