How severe is GHSA-h24c-6p6p-m3vx?

No CVSS score has been assigned to GHSA-h24c-6p6p-m3vx yet. Review the advisory details and affected package list to assess your exposure.

Which packages are affected by GHSA-h24c-6p6p-m3vx?

GHSA-h24c-6p6p-m3vx affects the following packages: github.com/bnb-chain/tss-lib (Go). Ecosystems affected: Go.

How do I fix GHSA-h24c-6p6p-m3vx?

No patched version of github.com/bnb-chain/tss-lib has shipped for GHSA-h24c-6p6p-m3vx yet. Where your build allows, override or pin the dependency away from the vulnerable range, and apply any maintainer-recommended mitigation.

How do I detect GHSA-h24c-6p6p-m3vx in my Go dependencies?

Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for github.com/bnb-chain/tss-lib. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.

How do I mitigate GHSA-h24c-6p6p-m3vx if there is no patch (or I can't update yet)?

If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.

How does O3 Security protect against GHSA-h24c-6p6p-m3vx?

O3 pinpoints whether GHSA-h24c-6p6p-m3vx is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Is GHSA-h24c-6p6p-m3vx actively exploited in the wild?

No public exploit code has been indexed for GHSA-h24c-6p6p-m3vx yet. This does not mean the vulnerability cannot be exploited — absence of public exploits does not imply safety. Apply the recommended fix and use O3 Security to monitor your exposure.

When was GHSA-h24c-6p6p-m3vx published, and has it been updated?

GHSA-h24c-6p6p-m3vx was published on September 1, 2023. Advisory data evolves as severity scores, affected ranges, and exploit intelligence are revised — always check the latest version of the advisory before acting.

🐹 Go

GHSA-h24c-6p6p-m3vx

tss-lib leaks secret keys in response to incorrectly constructed Paillier moduli

Published

Sep 1, 2023

Updated

Sep 1, 2023

Affected

1 pkg

Patched

None yet

Exploits

None indexed

Blast Radius

1 pkg affected

🐹github.com/bnb-chain/tss-lib

Real-time download stats are indexed for npm and PyPI packages. This vulnerability affects Go packages — download data is not available via public APIs for these ecosystems.

Description

Impact

The specification of the GG18 threshold ECDSA signature protocol contains a vulnerability allowing an attacker to recover the shared secret key. If a participant generates a Paillier modulus N containing small factors (less than 2^100) they can interact with other participants in the signing protocol to steal their secret key shares in as little as sixteen signing attempts. The master key can then be reconstructed from these shares.

Patches

The implementation of GG18 in tss-lib did not prove that N is biprime or that it doesn't contain small factors. The fixed implementation adds the following proofs from the CGGMP21 threshold ECDSA protocol to the key generation:

Paillier-Blum Modulus (N is the product of two primes)
No Small Factor (both factors of N are greater than 2^256)

These proofs apply to both the Paillier encryption modulus N, and the modulus NTilde used in MTA proofs.

To address the issue in the resharing protocol, an additional round has been added to the end so that participants can confirm that they received valid proofs.

References

GG18
CGGMP21

Affected Packages

1 total

Ecosystem	Package	Vulnerable range	Fix
🐹Go	`github.com/bnb-chain/tss-lib`	all versions	No fix

Detection & mitigation playbook

Open-source dependency

Detect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for github.com/bnb-chain/tss-lib. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Remediation status
No patched version of github.com/bnb-chain/tss-lib has shipped for GHSA-h24c-6p6p-m3vx yet. Where your build allows, override or pin the dependency away from the vulnerable range, and apply any maintainer-recommended mitigation.
Mitigate without a patch
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-h24c-6p6p-m3vx is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Tailored to GHSA-h24c-6p6p-m3vx. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.

Frequently Asked Questions

### Impact The specification of the GG18 threshold ECDSA signature protocol contains a vulnerability allowing an attacker to recover the shared secret key. If a participant generates a Paillier modulus `N` containing small factors (less than `2^100`) they can interact with other participants in the signing protocol to steal their secret key shares in as little as sixteen signing attempts. The master key can then be reconstructed from these shares. ### Patches The implementation of GG18 in tss-lib did not prove that `N` is biprime or that it doesn't contain small factors. The fixed implement

O3 Security · Impact-Aware SCA

Is GHSA-h24c-6p6p-m3vx in your dependencies?

O3 detects GHSA-h24c-6p6p-m3vx across Go dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.

Scan my dependencies How O3 SCA works