CuraSec

Plan active

Cryptographic Flaw in Cloudflare CIRCL FourQ (CVE-2025-8556)

2026-07-12 11:56 UTC · HN (cve) · read the source ↗ #cryptography#supply-chain#go
  • Engineer — Plan: If your Go codebase depends on github.com/cloudflare/circl and uses the FourQ elliptic curve (key exchange or signatures), audit that usage and schedule an upgrade; EPSS is 0.00 and no KEV listing, but a public PoC exists and cryptographic correctness flaws can enable key-recovery or signature-forgery scenarios.
  • SOC/IR — Skip
  • Leader — Skip
  • Signals: CVE-2025-8556 — CISA KEV: not listed, EPSS 0.00, public PoC on GitHub
This entry was curated and judged by AI (Claude) with automated enrichment (CISA KEV / EPSS / public PoC). Verify against the original source before acting. Found a bad verdict? Report it — confirmed errors go to the corrections log.