Your RSA-2048 keys break in 2030. Find every one of them before attackers do.
🐍 PyPI

GHSA-rc4p-p3j9-6577

HIGH

pypqc private key retrieval vulnerability

Published
Feb 22, 2024
Updated
Nov 28, 2024
Affected
1 pkg
Patched
1 / 1
Exploits
None indexed

Blast Radius

1 pkg affected
🐍pypqc

Real-time download stats are indexed for npm and PyPI packages. This vulnerability affects PyPI packages — download data is not available via public APIs for these ecosystems.

Description

Impact

kyber512, kyber768, and kyber1024 only: An attacker able to submit many decapsulation requests against a single private key, and to gain timing information about the decapsulation, could recover the private key. Proof-of-concept exploit exists for a local attacker.

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N/E:P/RL:O/RC:C

Patches

Version 0.0.6.1 and newer of PyPQC is patched.

Workarounds

No workarounds have been reported. The 0.0.6 -> 0.0.6.1 upgrade should be a drop-in replacement; it has no known breaking changes.

References

Timeline

  1. Cryspen researchers privately reported KyberSlash to the reference implementation maintainers.

  2. Peter Schwabe partially patched KyberSlash (only "KyberSlash 1") in the reference implementation on December 1st, 2023, but did not document or advertise this as a security patch.
    https://www.github.com/pq-crystals/kyber/commit/dda29cc63af721981ee2c831cf00822e69be3220

  3. Daniel J. Bernstein publicly reported KyberSlash as a security issue on December 15th, 2023.
    https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/hWqFJCucuj4/m/-Z-jm_k9AAAJ

  4. Daniel J. Bernstein created a webpage for authoritative reference about KyberSlash on December 19th, 2023.
    https://kyberslash.cr.yp.to/

  5. Thom Wiggers acknowledged KyberSlash as a security issue on December 19th, 2023.
    https://www.github.com/PQClean/PQClean/issues/533

  6. Prasanna Ravi and Matthias Kannwischer privately reported further details about KyberSlash ("KyberSlash 2") to the reference implementation maintainers.

  7. Peter Schwabe completely patched KyberSlash in the reference implementation on December 29th, 2023. https://www.github.com/pq-crystals/kyber/commit/11d00ff1f20cfca1f72d819e5a45165c1e0a2816

  8. Prasanna Ravi and Matthias Kannwischer publicly reported their findings ("KyberSlash 2") on December 30th, 2023.
    https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/ldX0ThYJuBo/m/ovODsdY7AwAJ

  9. Daniel J. Bernstein published a proof-of-concept exploit (only validated for a local attacker) for KyberSlash on December 30th, 2023.
    https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/ldX0ThYJuBo/m/uIOqRF5BAwAJ

  10. Thom Wiggers completely patched KyberSlash in PQClean on January 25th, 2024.
    https://www.github.com/PQClean/PQClean/commit/3b43bc6fe46fe47be38f87af5019a7f1462ae6dd

  11. James E. A. completely patched KyberSlash in pypqc and released a security update on January 26th, 2024.
    https://www.github.com/JamesTheAwesomeDude/pypqc/commit/b33fec8cd36e865f8db6215c64b2d01f429a1ed6

Affected Packages

1 total 1 fixed
EcosystemPackageVulnerable rangeFix
🐍PyPIpypqc0.0.4&&< 0.0.6.10.0.6.1

Detection & mitigation playbook

Open-source dependency

  1. Detect

    Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for pypqc. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.

  2. Fix

    Update pypqc to 0.0.6.1 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-rc4p-p3j9-6577 is resolved across your whole dependency graph.

  3. Workarounds

    If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.

  4. How O3 protects you

    O3 pinpoints whether GHSA-rc4p-p3j9-6577 is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Tailored to GHSA-rc4p-p3j9-6577. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.

Frequently Asked Questions

### Impact `kyber512`, `kyber768`, and `kyber1024` only: An attacker able to submit many decapsulation requests against a single private key, and to gain timing information about the decapsulation, could recover the private key. Proof-of-concept exploit exists for a local attacker. CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N/E:P/RL:O/RC:C ### Patches Version 0.0.6.1 and newer of PyPQC is patched. ### Workarounds No workarounds have been reported. The 0.0.6 -> 0.0.6.1 upgrade should be a drop-in replacement; it has no known breaking changes. ### References #### Timeline 1. Cryspen resear
O3 Security · Impact-Aware SCA

Is GHSA-rc4p-p3j9-6577 in your dependencies?

O3 detects GHSA-rc4p-p3j9-6577 across PyPI dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.

Scan my dependencies How O3 SCA works