Asanso

**Name of the Vulnerable Software and Affected Versions** Hyperledger Besu versions 24.7.1 through 25.2.2 besu-native versions 0.9.0 through 1.2.1 **Description** The issue concerns a potential consensus bug in the precompiles ALTBN128 ADD (0x06), ALTBN128 MUL (0x07), and ALTBN128 PAIRING (0x08) due to the use of gnark-crypto's bn254 implementation in besu-native. This implementation relies on subgroup checks to perform point-on-curve checks, but the version of gnark-crypto used did not do this check when performing subgroup checks. As a result, it is possible for Besu to give an incorrect result and fall out of consensus when executing one of these precompiles against a specially crafted input point. Homogenous Besu-only networks can potentially enshrine invalid state which would be incorrect and difficult to process with patched versions of besu. **Recommendations** For Hyperledger Besu versions 24.7.1 through 25.2.2, consider disabling the native precompile for altbn128 in favor of the pure-java implementation as a temporary workaround. Update to Hyperledger Besu version 25.3.0, which includes the fixed besu-native release 1.3.0.

Name of the Vulnerable Software and Affected Versions: node-jose versions prior to 0.9.3 Description: The issue allows an attacker to recover the private secret key when JWE with Key Agreement with Elliptic Curve Diffie-Hellman Ephemeral Static (ECDH-ES) is used, due to an invalid curve attack. Recommendations: Update to version 0.9.3 or later.

**Name of the Vulnerable Software and Affected Versions** Google Chrome versions prior to 50.0.2661.75 Opera versions prior to 50.0.2661.75 **Description** The issue arises from the incorrect reliance on GetOrigin method calls for origin comparisons in the Extensions subsystem. This allows remote attackers to bypass the Same Origin Policy, potentially obtaining sensitive information via a crafted extension. **Recommendations** For Google Chrome versions prior to 50.0.2661.75, update to version 50.0.2661.75 or later. For Opera versions prior to 50.0.2661.75, update to version 50.0.2661.75 or later. As a temporary workaround, consider restricting the use of extensions in Google Chrome and Opera until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** Safari (affected versions not specified) **Description** The issue is related to insufficient input validation in the Safari browser's user interface on the iOS operating system. This could allow a remote attacker to exploit the issue and substitute a web page by spoofing its address (URI). **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.