CVE-2025-8556

LOW

Cloudflare Circl < 1.6.1 - Signature Verification Bypass

Title source: rule

Description

A flaw was found in CIRCL's implementation of the FourQ elliptic curve. This vulnerability allows an attacker to compromise session security via low-order point injection and incorrect point validation during Diffie-Hellman key exchange.

References (7)

[Vendor Advisory] https://access.redhat.com/security/cve/CVE-2025-8556

[Issue Tracking] https://bugzilla.redhat.com/show_bug.cgi?id=2371624

[Various Sources] https://github.com/cloudflare/circl

[Various Sources] https://github.com/cloudflare/circl/tree/v1.6.1

[Various Sources] https://news.ycombinator.com/item?id=45669593

[Various Sources] https://www.botanica.software/blog/cryptographic-issues-in-cloudflares-circl-fourq-implementation

[Vendor Advisory] https://github.com/cloudflare/circl/security/advisories/GHSA-2x5j-vhc8-9cwm

Scores

CVSS v3 3.7

EPSS 0.0003

EPSS Percentile 7.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-1287

Status published

Products (28)

cloudflare/circl 0 - 1.6.1Go

Red Hat/Builds for Red Hat OpenShift

Red Hat/Custom Metric Autoscaler operator for Red Hat Openshift

Red Hat/Multicluster Global Hub

Red Hat/OpenShift Pipelines

Red Hat/OpenShift Serverless

Red Hat/OpenShift Service Mesh 3

Red Hat/Red Hat Advanced Cluster Management for Kubernetes 2

Red Hat/Red Hat Advanced Cluster Security 4

Red Hat/Red Hat Ceph Storage 5

... and 18 more

Published Aug 06, 2025

Tracked Since Feb 18, 2026