Reported

February 4, 2026

Issued

March 24, 2026

Package

hpke-rs-rust-crypto (crates.io)

Type

Vulnerability

Aliases

• GHSA-g433-pq76-6cmf

References

• https://github.com/cryspen/hpke-rs/pull/124

Patched

• >=0.6.0

Affected Functions

Version

hpke_rs_rust_crypto::HpkeRustCrypto::dh

• <=0.5.0

Description

Computing an X25519 shared secret with x25519_dalek::StaticSecret::diffie_hellman does not include the check that the key exchange was contributory, i.e. does not ensure on its own that the resulting shared secret is non-zero.

Impact

RFC 9180 mandates that implementations of HPKE must check for all zero Diffie-Hellman shared secrets and abort if so.

Applications using hpke-rs with the RustCryto provider would not perform this check allowing for non-contributive Diffie-Hellman shared secrets. Applications using hpke-rs with the libcrux provider are not affected.

Mitigation

Starting with version 0.6.0, an error will be returned when the computed Diffie-Hellman shared secret is all-zero.

Advisory available under CC0-1.0 license.