Home > Vulnerability Database > WS-2023-0284

Mend.io Vulnerability Database

WS-2023-0284

Date: August 19, 2025

Blst versions v0.3.0 through 0.3.10 failed to perform a signature group-check if the call to SigValidate in the Go bindings was complemented with a check for infinity. Formally speaking, infinity, or the identity element of the elliptic curve group, is a member of the group, and the group-check should allow it. An initial review of blst users on GitHub did not uncover any use of this function with the complementary infinity check. This optional check was added as a convenience feature because despite infinity being a legitimate member of the group, individual signatures should never be infinite (as it is equivalent to having zero for the secret key), and observing one should raise a flag.

Language: Go

Severity Score

7.1

Related Resources (5)

Url: https://github.com/supranational/blst/security/advisories/GHSA-8c37-7qx3-4c4p

Url: https://github.com/supranational/blst

Url: https://github.com/supranational/blst/commit/fb91221c91c82f65bfc7f243256308977a06d48b

Url: https://github.com/supranational/blst/releases/tag/v0.3.11

Url: https://www.mend.io/vulnerability-database/WS-2023-0284

Severity Score

7.1

Weakness Type (CWE)

Improper Validation of Integrity Check Value

CWE-354

CVSS v3.1

Base Score:	7.1
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	REQUIRED
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	NONE
Availability (A):	LOW

Mend.io Vulnerability Database

We found results for “”

WS-2023-0284

Date: August 19, 2025

Language: Go

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?