CVE-2024-40640

Name of the Vulnerable Software and Affected Versions vodozemac versions prior to 0.7.0

Description The issue is related to the use of a non-constant time base64 implementation in vodozemac for importing key material for Megolm group sessions and PkDecryption Ed25519 secret keys. This flaw might allow an attacker to infer some information about the secret key material through a side-channel attack. The impact of this vulnerability is considered low because exploiting it requires access to high precision timing measurements and repeated access to the base64 encoding or decoding processes. The estimated leakage amount is bounded and low.

Recommendations For versions prior to 0.7.0, upgrade to version 0.7.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the base64 encoding and decoding processes to minimize the risk of exploitation. There are no known workarounds for this vulnerability.