GHSA-969w-q74q-9j8v
Unsound API in `secp256k1` allows use-after-free and invalid deallocation from safe code
Blast Radius
secp256k1🦀secp256k1🦀secp256k1Real-time download stats are indexed for npm and PyPI packages. This vulnerability affects crates.io packages — download data is not available via public APIs for these ecosystems.
Description
Because of incorrect bounds on method Secp256k1::preallocated_gen_new it was possible to cause use-after-free from safe consumer code. It was also possible to "free" memory not allocated by the appropriate allocator.
The method takes a place for storing the context as a mutable reference and returns context containing that reference. Because the code internally uses unsafe and the bounds were incorrect it was possible to create a context that outlived the passed reference (e.g. 'static). Because the context can alternatively carry heap-allocated pointer freed on drop it was possible to "deallocate" a pointer that wasn't returned from appropriate allocator. The code decides whether to free the memory based on type parameter but because of missing bound it was possible to construct the context with invalid parameter.
You are unaffected if you either
- don't call
Secp256k1::preallocated_gen_new - manually checked that your usage of the method is sound
- upgraded to the patched version of
secp256k1(recommended)
The patched version uses correct bounds which means it is API-breaking. This effectively means adopting the policy of Rust lang itself allowing API-breaking changes to fix soundness bugs. Note however that valid straigthforward usage of the code will continue to compile. Only unsound code or code that propagates the bound in custom generics will fail to compile. If the code is sound fixing the bounds should be sufficient to make the code compile.
See the GitHub issue for example "exploit" code and further discussion.
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 🦀crates.io | secp256k1 | ≥ 0.14.0&&< 0.22.2 | 0.22.2 |
| 🦀crates.io | secp256k1 | ≥ 0.23.0&&< 0.23.5 | 0.23.5 |
| 🦀crates.io | secp256k1 | ≥ 0.24.0&&< 0.24.2 | 0.24.2 |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for secp256k1. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update secp256k1 to 0.22.2 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-969w-q74q-9j8v is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-969w-q74q-9j8v is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-969w-q74q-9j8v. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-969w-q74q-9j8v in your dependencies?
O3 detects GHSA-969w-q74q-9j8v across crates.io dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.