Headline
GHSA-hpwg-xg7m-3p6m: sm-crypto Affected by Signature Forgery in SM2-DSA
Summary
A signature forgery vulnerability exists in the SM2 signature verification logic of sm-crypto. Under default configurations, an attacker can forge valid signatures for arbitrary public keys. If the message space contains sufficient redundancy, the attacker can fix the prefix of the message associated with the forged signature to satisfy specific formatting requirements.
Credit
This vulnerability was discovered by:
- XlabAI Team of Tencent Xuanwu Lab
- Atuin Automated Vulnerability Discovery Engine
Skip to content
Navigation Menu
AI CODE CREATION
GitHub CopilotWrite better code with AI
GitHub SparkBuild and deploy intelligent apps
GitHub ModelsManage and compare prompts
MCP RegistryNewIntegrate external tools
View all features
- Pricing
Provide feedback
Saved searches****Use saved searches to filter your results more quickly
Sign up
Appearance settings
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2026-23965
sm-crypto Affected by Signature Forgery in SM2-DSA
High severity GitHub Reviewed Published Jan 20, 2026 in JuneAndGreen/sm-crypto • Updated Jan 21, 2026
Package
npm sm-crypto (npm)
Affected versions
< 0.4.0
Description
Summary
A signature forgery vulnerability exists in the SM2 signature verification logic of sm-crypto. Under default configurations, an attacker can forge valid signatures for arbitrary public keys. If the message space contains sufficient redundancy, the attacker can fix the prefix of the message associated with the forged signature to satisfy specific formatting requirements.
Credit
This vulnerability was discovered by:
- XlabAI Team of Tencent Xuanwu Lab
- Atuin Automated Vulnerability Discovery Engine
References
- GHSA-hpwg-xg7m-3p6m
- JuneAndGreen/sm-crypto@85295a8
Published to the GitHub Advisory Database
Jan 21, 2026
Last updated
Jan 21, 2026
EPSS score