GHSA-2ff4-xfpr-m32r
`Slip10Like` derivation method instantiated with certain curves may allow attacker to find derivation path which results into very long derivation (possible DoS)
Blast Radius
hd-wallet🦀slip-10Real-time download stats are indexed for npm and PyPI packages. This vulnerability affects crates.io packages — download data is not available via public APIs for these ecosystems.
Description
Impact
<!-- _What kind of vulnerability is it? Who is impacted?_ -->Impacted are the only ones who use hd_wallet::Slip10Like or slip_10 derivation method instantiated with curves other than secp256k1 and secp256r1.
hd_wallet crate used to provide Slip10Like derivation method, which is also provided in slip-10 crate as a default derivation method. It's based on slip10 method that searches for a valid child key in an infinite loop until it's found.
Theoretically, this could be exploited by an attacker by finding a derivation path that would force someone to execute a lot of iterations of this loop to find a valid child key. This attack, however, requires the probability of getting an invalid scalar from random 32 bytes to be high. Slip10 is protected from this attack as it's only defined on secp256k1 and secp256r1 curves, for which such probability is very low:
- For secp256k1, probability is $< 2^{-127}$. This means that a loop with 2 or more iterations is vanishingly impossible.
- For secp256r1, probability is $< 2^{-32}$. This means that a loop with 5 or more iterations is vanishingly impossible.
While standard curves are safe to use with slip10, we used to allow slip10-like derivation which can be instantiated with any curve. For instance, one could instantiate it with ed25519 or stark curves, for which probability of getting invalid scalar from random 32 bytes is >90%, so theoretically, attacker could try to DoS such construction.
Patches
<!-- _Has the problem been patched? What versions should users upgrade to?_ -->hd_wallet v0.6.0 has been patched by removing slip10-like derivation from public API.
If you need HD derivation on other curves than secp256k1 and secp256r1, we suggest you to use:
hd_wallet::Edwardsderivation method available for ed25519 curvehd_wallet::Starkderivation method available for stark curve
Both derivation methods are non-standard, but secure and efficient.
If you're still using slip_10 and would like to migrate to patched version, please migrate to hd_wallet v0.6. You may first migrate from slip_10 v0.4 to hd_wallet v0.5 by following migration instructions available in the docs, and then upgrade from hd_wallet v0.5 to hd_wallet v0.6.
Workarounds
Technically, you don't need to upgrade if you don't use slip10-like derivation instantiated with other curves than secp256k1 or secp256r1.
However, if you do, migrating to other derivation method might be required.
Reach out to us in Discord
If you want to reach out to us, feel free to write to #lockness room in Discord
Credits
Thanks to Alessio Marziali [email protected] for discovering and flagging this issue
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 🦀crates.io | hd-wallet | all versions | 0.6.0 |
| 🦀crates.io | slip-10 | all versions | No fix |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for hd-wallet. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update hd-wallet to 0.6.0 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-2ff4-xfpr-m32r is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-2ff4-xfpr-m32r is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-2ff4-xfpr-m32r. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-2ff4-xfpr-m32r in your dependencies?
O3 detects GHSA-2ff4-xfpr-m32r across crates.io dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.