All Topics
All Topics
Technology
Technology
Design
Design
Programming
Programming
Science
Science
News
News
Gaming
Gaming
Entertainment
Entertainment
Business
Business
Finance
Finance
Sports
Sports
Health
Health
Food
Food
Travel
Travel
Art
Art
Music
Music
Books
Books
Education
Education
Politics
Politics
Personal
Personal
No algorithm. No AI slop. No ads. Just RSS. Pro-human. Indie writers. Real journalism. Open web. Chronological. Hand toasted.

Cryptographic Vulnerabilities Found in Cloudflare's CIRCL FourQ Implementation

By

botanica_labs

7mo ago· 9 min readenNews
Bagel score 85 of 100
85/100
Golden Brown
Bagelometer

If you only eat one bagel today, this is the bagel.

Score85TypenewsSentimentneutral

Summary

Security researchers discovered cryptographic vulnerabilities in Cloudflare's CIRCL library implementation of the FourQ elliptic curve during a 2025 audit of open-source elliptic curve implementations. The issues were reported through Cloudflare's HackerOne bug bounty program in March 2025, initially receiving a lukewarm response from the triage team. After direct contact with Cloudflare's security team, the issues were properly acknowledged and addressed.

Key quotes

· 3 pulled
In early 2025, while working on a project which required us to perform a broad audit of OSS elliptic curve implementations – we discovered several cryptographic issues in Cloudflare's CIRCL library – specifically with the implementation of the FourQ elliptic curve.
We reported the issues through Cloudflare's HackerOne bug bounty plan in March 2025, and subsequently contacted Cloudflare directly, after having received a lukewarm and laconic response from the HackerOne triage team.
Once the team at Cloudflare stepped in the issues were appropriately acknowledged
Snippet from the RSS feed
2 min read

You might also wanna read

Comparing Cryptographic Hash Functions: SHA-2 vs SHA-3 vs BLAKE3 for Future Security

The article discusses the importance of choosing future-proof cryptographic hash functions, comparing SHA-2, SHA-3, and BLAKE3 for long-term

kerkour.com·6mo ago

North Korean Chollima Group Targets PHP Developers via Malicious Packagist Package

A malicious obfuscated JavaScript payload was discovered appended to tailwind.js in the Packagist development version dev-drewroberts/featur

socket.dev·5h ago

Microsoft uncovers supply chain attack: Compromised @antv npm packages steal CI/CD credentials via Mini Shai-Hulud malware

Microsoft has identified an active supply chain attack targeting the @antv npm package ecosystem. A threat actor compromised an @antv mainta

microsoft.com·19h ago

npm malware targeting Claude users leaks own GitHub token, reaches 676 downloads

An npm package called "mouse5212-super-formatter" targeting Claude users acted as information-stealing malware, reaching 676 downloads befor

theregister.com·1d ago

Attacker publishes 14 malicious npm packages impersonating OpenSearch and Elasticsearch libraries

A single npm user published 14 malicious packages over four hours, impersonating popular OpenSearch, Elasticsearch, DevOps, and environment-

briefly.co·2d ago

Extending Wazuh Detection with Clickdetect, OpenSearch PPL, and Sigma Rules

This blog post by "souzo" introduces clickdetect, a repository/tool designed to extend Wazuh's detection capabilities by integrating with Op

infosecwriteups.com·3d ago