GHSA-5xxp-2vrj-x855

Overview

The current SM9 decryption implementation contains an infinity-point ciphertext forgery vulnerability. The root cause is that, during decryption, the elliptic-curve point C1 in the ciphertext is only deserialized and checked to be on the curve, but the implementation does not explicitly reject the point at infinity.

In the current implementation, an attacker can construct C1 as the point at infinity, causing the bilinear pairing result to degenerate into the identity element in the GT group. As a result, a critical part of the key derivation input becomes a predictable constant. An attacker who only knows the target user's UID can derive the decryption key material and then forge a ciphertext that passes the integrity check.

Impact

The direct impact of this vulnerability is ciphertext forgery, not confidentiality loss.

• The attacker does not need the master public key, the user's private key, or any other secret material.
• The attacker only needs to know the target UID to construct a seemingly valid ciphertext.
• When the recipient invokes the SM9 decryption API, the forged ciphertext decrypts successfully to attacker-chosen plaintext.
• The C3 integrity check also passes, so this is not merely a format bypass, but a full forgery.

This issue affects the following paths because they all eventually enter the same UnwrapKey logic:

• sm9.Decrypt
• sm9.DecryptASN1
• sm9.UnwrapKey

This means the issue affects not only public-key encryption/decryption, but also key encapsulation/decapsulation.

Severity

This vulnerability should be rated as High.

Using CVSS 3.1 as a reference, it can be characterized as follows:

• Attack vector: Network
• Attack complexity: Low
• Privileges required: None
• User interaction: None
• Confidentiality impact: Low or None
• Integrity impact: High
• Availability impact: None

Overall, the estimated score falls in the High range, approximately 7.5.

It is High rather than Critical for the following reasons:...