GHSA-pffg-92cg-xf5c
gnark-crypto's exponentiation in the pairing target group GT using GLV can give incorrect results
Blast Radius
github.com/consensys/gnark-cryptoReal-time download stats are indexed for npm and PyPI packages. This vulnerability affects Go packages — download data is not available via public APIs for these ecosystems.
Description
Impact
When the exponent is bigger than r, the group order of the pairing target group GT, the exponentiation à la GLV (ExpGLV) can sometimes give incorrect results compared to normal exponentiation (Exp).
The issue impacts all users using ExpGLV for exponentiations in GT. This does not impact Exp and ExpCyclotomic which are sound. Also note that GLV methods in G1 and G2 are sound and not impacted.
Patches
Fix has been implemented in pull request https://github.com/Consensys/gnark-crypto/pull/451 and merged in commit https://github.com/Consensys/gnark-crypto/commit/ec6be1a037f7c496d595c541a8a8d31c47bcfa3d to master branch.
The fix increased the bounds of the sub-scalars by 1. In fact, since https://github.com/Consensys/gnark-crypto/pull/213, we use a fast scalar decomposition that tradeoffs divisions (needed in the Babai rounding) by right-shifts. We precompute b=2^m*v/d (m > log2(d)) and then at runtime compute scalar*b/2^m (v is a lattice vector and d the lattice determinant). This increases the bounds on sub-scalars by 1 which we check at runtime before increasing the loop size (we don't target constant-timeness). m is chosen to be a machine word twice big than log2(d) so that we rarely need to increase the loop size. Hence why the issue happens only sometimes if we omit to increase the bounds. This bounds increase was implemented in G1 and G2 but forgot in GT.
Workarounds
Updating to v0.12.1+. Alternatively, use Exp or ExpCyclotomic instead. We are not aware of any users using ExpGLV anyway.
References
- Fix PR: https://github.com/Consensys/gnark-crypto/pull/451
- Fast scalar decomposition PR: https://github.com/Consensys/gnark-crypto/pull/213
- https://eprint.iacr.org/2015/565 Sec.4.2
Acknowledgement
The vulnerability was reported by Antonio Sanso @ EF.
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 🐹Go | github.com/consensys/gnark-crypto | all versions | 0.12.1 |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for github.com/consensys/gnark-crypto. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update github.com/consensys/gnark-crypto to 0.12.1 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-pffg-92cg-xf5c is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-pffg-92cg-xf5c is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-pffg-92cg-xf5c. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-pffg-92cg-xf5c in your dependencies?
O3 detects GHSA-pffg-92cg-xf5c across Go dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.