Headline
GHSA-pgx9-497m-6c4v: sm-crypto Affected by Private Key Recovery in SM2-PKE
Summary
A private key recovery vulnerability exists in the SM2 decryption logic of sm-crypto. By interacting with the SM2 decryption interface multiple times, an attacker can fully recover the private key within approximately several hundred interactions.
Credit
This vulnerability was discovered by:
- XlabAI Team of Tencent Xuanwu Lab
- Atuin Automated Vulnerability Discovery Engine
Skip to content
Navigation Menu
AI CODE CREATION
GitHub CopilotWrite better code with AI
GitHub SparkBuild and deploy intelligent apps
GitHub ModelsManage and compare prompts
MCP RegistryNewIntegrate external tools
View all features
- Pricing
Provide feedback
Saved searches****Use saved searches to filter your results more quickly
Sign up
Appearance settings
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2026-23966
sm-crypto Affected by Private Key Recovery in SM2-PKE
Critical severity GitHub Reviewed Published Jan 20, 2026 in JuneAndGreen/sm-crypto • Updated Jan 21, 2026
Package
npm sm-crypto (npm)
Affected versions
< 0.3.14
Description
Summary
A private key recovery vulnerability exists in the SM2 decryption logic of sm-crypto. By interacting with the SM2 decryption interface multiple times, an attacker can fully recover the private key within approximately several hundred interactions.
Credit
This vulnerability was discovered by:
- XlabAI Team of Tencent Xuanwu Lab
- Atuin Automated Vulnerability Discovery Engine
References
- GHSA-pgx9-497m-6c4v
- JuneAndGreen/sm-crypto@b1c824e
Published to the GitHub Advisory Database
Jan 21, 2026
Last updated
Jan 21, 2026
EPSS score