Hourly ·
AI Audit Pipeline Unearths Seven Real Bugs in Cloudflare's Crypto Library
zkSecurity pointed its AI audit pipeline at Cloudflare's CIRCL experimental cryptography library and confirmed seven real vulnerabilities — all now fixed upstream and most awarded bounties on HackerOne.
An automated AI audit pipeline has found seven genuine, previously unknown bugs in Cloudflare's CIRCL library — a collection of advanced and post-quantum cryptographic implementations used in production systems.
The findings were published today by zkSecurity, the firm behind the AI audit agent zkao. Their pipeline scanned CIRCL and surfaced a range of vulnerabilities, from a critical access-control break in attribute-based encryption to subtle precision-loss bugs in threshold RSA.
All seven bugs have been fixed by Cloudflare and most were awarded bounties through the company's HackerOne program. The complete list:
CP-ABE access-control break (Critical): A one-line mistake in AND-share logic allowed unauthorized decryption in ciphertext-policy attribute-based encryption.
BLS aggregate verification without message distinctness (High): The BLS aggregate signature verification accepted aggregated signatures without requiring distinct messages, enabling signature forgery across repeated messages.
HPKE PSK validation bypass (Medium): A bitwise-OR switch in the Hybrid Public Key Encryption pre-shared key validation allowed invalid keys to pass through silently.
Lagrange coefficients in int64 (Medium): Threshold secret-sharing polynomial evaluation used int64 instead of big integers, causing overflow for large parameters.
Float64 polynomial evaluation (Low): The TSS/RSA implementation evaluated recovery polynomials in float64, losing precision for larger threshold configurations.
DLEQ forgery via prover-controlled security parameter (Low): The discrete-log equality proof allowed the prover to manipulate a security parameter, breaking soundness.
DLEQ soundness break via FillBytes collision (Low): A sign collision in the FillBytes routine broke the soundness guarantee of the DLEQ proof system.
The AI produced candidate findings, not final reports. Human researchers on zkSecurity's team validated each issue, checked exploitability, minimized proofs of concept, and handled disclosure. Cloudflare's own severity ratings differed from the AI's in several cases — the CP-ABE bug was correctly flagged as Critical by both, but the float64 precision loss received only a "Low" from Cloudflare after triage.
The bugs were found using combinations of Claude Opus 4.6 with expert-crafted skills, GPT-5.3 with skills, and zkao running independently. In most cases, zkao not only replicated the findings but also discovered more complex and more severe issues on its own.
Sources: ZK/SEC Quarterly
AI审计管道在云flare的加密库中挖出七处真实漏洞
zk安全审查了Cloudflare的CIRCL实验性密码库的安全审计管道,并确认了七个真实漏[K 洞——所有这些现在都在上游修复,其中大多数在HackerOne上获得了悬赏。
← Hourlies 小时内 · 2026-07-07 20:00 UTC AI 审核管道在 Cloudflare 的 Crypt[5D[K Crypto 库中发现了七处真实漏洞,zkSecurity 使用其 AI 审核管道检查了 Cloudfla[8D[K Cloudflare 的 CIRCL 实验性密码学库,并确认发现七个真实的漏洞——所有漏洞均已修[K 复并向上游提交,多数已经通过 HackerOne 颁发赏金。 一个自动化的 AI 审核管道发[K 现了七个真实存在的、此前未知的漏洞。
More Hourlies Stories
Content on Anagnorisis is summarized, paraphrased, and editorialized from publicly available sources for length and clarity. Original sources are linked where available. All trademarks belong to their respective owners.
