CVE CyberSecurity Database News

CVE-2024-30172 - Bouncy Castle Ed25519 Infinite Loop Exploit Explained (with Code Examples)

Poster -

*Published June 2024*


Bouncy Castle is a popular set of cryptography libraries in Java and other languages. But even the most trusted security tools sometimes have bugs—and CVE-2024-30172 is a perfect example. This post explains what happened with the Ed25519 signature verification, why it's dangerous, and how you could demonstrate the bug, all in clear language with code and sources.

Vulnerability: Infinite loop in Ed25519 signature verification code

- CVE: CVE-2024-30172

What is Ed25519 and Why Does It Matter?

Ed25519 is a modern public-key signature algorithm based on elliptic curve cryptography. It's incredibly popular for secure messaging, SSH keys, software signing, and more. Bouncy Castle provides Ed25519 in Java, making it a top choice for developers across the world.

What Is the Infinite Loop Bug?

Before version 1.78, Bouncy Castle’s Ed25519 verification code did not properly validate inputs before running math on them. If an attacker sent you a specifically malformed signature and public key, the verification process could enter an infinite loop.

- This means that whenever you tried to check if that signature was valid, your server would get "stuck."

Demonstrating the Flaw (Example in Java)

Here's a simplified example using (old, vulnerable) Bouncy Castle code. Don’t run this in production!

import org.bouncycastle.crypto.params.Ed25519PublicKeyParameters;
import org.bouncycastle.crypto.signers.Ed25519Signer;
import org.bouncycastle.util.encoders.Hex;

public class CVE202430172_Demo {
    public static void main(String[] args) {
        // Replace with real malicious values that trigger the loop.
        // These are hex-encoded "crafted" inputs for demonstration.
        String pubKeyHex = "0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef";
        String signatureHex = "abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef"
                            + "0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef";
        byte[] pubKey = Hex.decode(pubKeyHex);
        byte[] signature = Hex.decode(signatureHex);

        Ed25519PublicKeyParameters pubParams = new Ed25519PublicKeyParameters(pubKey, );
        Ed25519Signer verifier = new Ed25519Signer();

        verifier.init(false, pubParams);

        // Byte array you want to check
        byte[] message = "hello world".getBytes();

        verifier.update(message, , message.length);

        // This call could, with crafted values, loop endlessly!
        boolean isValid = verifier.verifySignature(signature);

        System.out.println("Verification: " + isValid);
    }
}

> ⚠️ You’d need a specially designed combination of signature and publicKey to actually hit the infinite loop—security researchers could generate these for PoC.

How Did This Happen?

Deep inside Bouncy Castle’s Ed25519 math, checks on the input values were not fully robust. Certain weird public keys trigger a code path where a loop meant for mathematical normalization never makes progress—leading to an infinite loop.

Read the fix here:
Relevant Pull Request: BouncyCastle PR #1357 (June 2024)

Official advisory:
- GHSA-x8pw-4r6f-rp66

National Vulnerability Database:
- CVE-2024-30172

How Bad Is This? (Impact & Exploitability)

- High DoS risk: If someone can get your application to verify their signature & public key (like an authentication system or a file signature checker), they can hang your server.
- No info leak: This bug doesn't let attackers steal keys or bypass cryptography, but DoS is often enough to hurt real services.
- Easy to exploit: Once a crafted signature & key are made, any verification call becomes a "suicide pill" for the process.


## Fix / Solution

Upgrade Bouncy Castle to version 1.78 (or later).
This version checks for these input issues and avoids the infinite loop.

If you can’t upgrade, consider blocking untrusted Ed25519 signatures, or sandbox signature verification code so one hung thread doesn’t halt your whole system.

Final Thoughts

This bug shows how critical good input validation is in cryptography—one unchecked edge case can bring down any app!

Are you using Bouncy Castle?
- Java: Update to Bouncy Castle 1.78

References

- Bouncy Castle Release Notes
- GitHub Advisory
- National Vulnerability Database CVE-2024-30172
- BouncyCastle Pull Request #1357


*This post is an original summary and technical guide for developers, sysadmins, and security teams concerned about CVE-2024-30172 and Java cryptography.*

Timeline

Published on: 05/14/2024 15:21:53 UTC
Last modified on: 11/05/2024 18:35:06 UTC