Dev news

Commit ee30745 for bitwiseleftshift_sjcl

commit ee307459972442a17beebc29dc331fffd8aff796
Author: Mike Hamburg <mike@shiftleft.org>
Date:   Sat Mar 14 10:20:36 2026 +0100

    fix a vulnerability to invalid curve attacks

diff --git a/README.md b/README.md
index e2b2551..fb53480 100644
--- a/README.md
+++ b/README.md
@@ -3,7 +3,7 @@

 Deprecation status
 ====
-Having not been updated in many years, sjcl is deprecated.  Please do not use it in new projects, and consider instead a more modern alternative.
+Having not been updated in many years (except to fix one serious vulnerability, described below), sjcl is deprecated.  Please do not use it in new projects, and consider instead a more modern alternative.

 [![Build Status](https://travis-ci.org/bitwiseshiftleft/sjcl.png)](https://travis-ci.org/bitwiseshiftleft/sjcl)

@@ -16,6 +16,8 @@ Security Advisories

 * 12.02.2014: the current development version has a paranoia bug in the ecc module. The bug was introduced in commit [ac0b3fe0](https://github.com/bitwiseshiftleft/sjcl/commit/ac0b3fe0) and might affect ecc key generation on platforms without a platform random number generator.

+* 03.08.2026: According to https://gist.github.com/Kr0emer/2560f98edb10b0b34f2438cd63913c47, sjcl is vulnerable due to missing point-on-curve validation in `sjcl.ecc.basicKey.publicKey()`. An attacker can recover a victim's ECDH private key by sending crafted off-curve public keys and observing ECDH outputs. The `dhJavaEc()` function directly returns the raw x-coordinate of the scalar multiplication result (no hashing), providing a plaintext oracle without requiring any decryption feedback.  This bug is fixed in SJCL 1.0.9.  Thanks to Kr0emer for reporting it, and to the the Snyk security team for relaying this information.
+
 Security Contact
 ====
 Security Mail: sjcl@ovt.me
diff --git a/core/ecc.js b/core/ecc.js
index 9faa05c..42f6305 100644
--- a/core/ecc.js
+++ b/core/ecc.js
@@ -460,6 +460,10 @@ sjcl.ecc.basicKey = {
       this._point = point;
     }

+    if (!this._point.isValid()) {
+      throw new sjcl.exception.corrupt("not on the curve!");
+    }
+
     this.serialize = function () {
       var curveName = sjcl.ecc.curveName(curve);
       return {