CVE-2025-29780

Name of the Vulnerable Software and Affected Versions: Post-Quantum Secure Feldman's Verifiable Secret Sharing versions 0.7.6b0 and prior

Description: The issue concerns timing side-channel vulnerabilities in the feldman vss library, specifically within the find secure pivot function and potentially other parts of secure matrix solve. These vulnerabilities are due to Python's execution model, which does not guarantee constant-time execution. An attacker with the ability to measure the execution time of these functions could potentially recover secret information used in the Verifiable Secret Sharing (VSS) scheme. The conditional statement if matrix[row][col] != 0 and row random < min value: has execution time that depends on the value of matrix[row][col], which can be exploited by an attacker. Successful exploitation of these timing side-channels could allow an attacker to recover secret keys or other sensitive information protected by the VSS scheme, leading to a complete compromise of the shared secret.

Recommendations: For versions 0.7.6b0 and prior, consider using the library only in environments where timing measurements by attackers are infeasible. Implement your own wrappers around critical operations using constant-time libraries in languages like Rust, Go, or C as a medium-term solution. Wait for the planned Rust implementation mentioned in the library documentation that will properly address these issues as a long-term solution. As a temporary workaround, consider restricting access to the find secure pivot and secure matrix solve functions to minimize the risk of exploitation. Avoid using the constant time compare function in the affected library until a patch is available.