phpecc, as used in all versions of mdanter/ecc, as well as paragonie/ecc before 2.0.1, has a branch-based timing leak in Point addition. (This Composer package is also known as phpecc/phpecc on GitHub, previously known as the Matyas Danter ECC library.)
Paragon Initiative Enterprises hard-forked phpecc/phpecc and discovered the issue in the original code, then released v2.0.1 which fixes the vulnerability. The upstream code is no longer maintained and remains vulnerable for all versions.
CPE | Name | Operator | Version |
---|---|---|---|
mdanter/ecc | le | 1.0.0 | |
paragonie/ecc | ge | 0 | |
paragonie/ecc | lt | 2.0.1 |