AIArticle
AI agents found seven real vulnerabilities in Cloudflare's cryptographic library, exposing the gap between automated reasoning and real-world exploitability.
Writing cryptographic code is notoriously unforgiving. A single misplaced bit or an overlooked mathematical edge case can turn a sophisticated security protocol into expensive theater. This is why the industry watches libraries like CIRCL (Cloudflare Interoperable Reusable Cryptographic Library) so closely. CIRCL is not just another TLS wrapper. It is Cloudflare's playground for advanced, experimental, and post-quantum cryptography (PQC), implementing algorithms designed to protect data long into the future.
Recently, security firm zkSecurity pointed its AI-driven audit pipeline, including a specialized agent called zkao
, at CIRCL. The run was not a theoretical exercise. The AI pipeline flagged dozens of candidates, which human researchers triaged down to seven genuine, confirmed vulnerabilities. All seven have since been patched upstream, and most earned bounties under Cloudflare's bug bounty program.
This is not another story about AI "vibe-coding" buggy software. It is the inverse. It shows that when properly constrained and equipped with domain-specific skills, LLMs are transitioning into highly pedantic, surprisingly capable static analysis tools. But the audit also exposed a massive friction point that developers must reckon with: the yawning chasm between an AI's mathematical panic and real-world exploitability.
The Math: Where the AI Triumphed #
To understand what the AI actually found, we have to look at the code. The most illustrative bug discovered by the pipeline (specifically using an LLM configuration dubbed Opus 4.6 with expert-curated skills) was a silent precision loss in CIRCL's threshold RSA implementation (tss/rsa
).
Threshold signing splits a private key among multiple players using Shamir-style secret sharing. During setup, the system evaluates a secret polynomial at each player's index. Because cryptographic keys are massive, these calculations must occur within arbitrary-precision math libraries. However, the developer who wrote the polynomial evaluation fell back to standard Go library functions for exponentiation:
// tss/rsa/rsa_threshold.go
xi := int64(math.Pow(float64(x), float64(i)))
Go's math.Pow
operates on float64
values, which use the IEEE 754 double-precision format. A float64
has a 53-bit mantissa. The moment the term $x^i$ exceeds $2^{53}$ (approximately $9 \times 10^{15}$), the float silently loses precision and rounds the value before casting it back to an int64
.
In a real-world threshold setup, say 100 players with a threshold of 27, evaluating at player index $x = 100$ with exponent $i = 26$ requires calculating $100^{26}$, or $10^{52}$. This exceeds the precision limit of a float64
by 36 orders of magnitude. Even modest parameters, like $x = 20$ and $i = 16$, trigger the bug.
The result is that the polynomial evaluates incorrectly, generating invalid key shares. The protocol either fails to combine signatures or reconstructs a completely broken key. The fix, tracked in commit f7d2180
, replaces the floating-point exponentiation with Horner's method, keeping all calculations strictly within Go's big.Int
package.
Another critical bug, found entirely by the autonomous zkao
agent, was an access-control break in CIRCL's Ciphertext-Policy Attribute-Based Encryption (CP-ABE) implementation. A logical error in how the code handled AND-gates allowed unauthorized attribute shares to satisfy the decryption policy, effectively breaking the core security guarantees of the scheme.
The Severity Gap: AI Panic vs. Engineering Reality #
While the AI was highly effective at spotting these logical and mathematical deviations, its ability to assess the actual security risk was wildly off target. LLMs lack context on how code is deployed, how parameters are restricted in production, and what makes a bug practically exploitable.
The table below compares the severity assigned by the AI against the final severity confirmed by Cloudflare's security team after human triage:
| Bug | Description | AI Severity | Confirmed Severity | Fix Commit |
|---|---|---|---|---|
| 1 | float64 precision loss in TSS/RSA polynomial eval | Critical | Low | f7d2180 |
| 2 | qndleq forgery via prover-controlled SecParam | High | Low | 757dde4 |
| 3 | BLS aggregate missing message distinctness | Medium | High | 9798df7 |
| 4 | DLEQ soundness break via FillBytes sign collision | High | Low | 19848a5 |
| 5 | HPKE PSK validation bypass via bitwise-OR switch | Medium | Medium | a3b4fa3 |
| 6 | TSS/RSA Lagrange coefficients in int64 | High | Medium | 751e372 |
| 7 | CP-ABE access-control break via AND-share bug | Critical | Critical | def2fd3 |
The float64 precision bug (Bug 1) is a perfect example of this gap. To the AI, a broken key-generation routine in a threshold signature scheme is a "Critical" failure because the math is wrong. To Cloudflare, it was rated "Low" because the specific conditions required to trigger the precision loss were highly unlikely to occur under standard production parameters.
Conversely, the AI underestimated Bug 3, a missing message distinctness check in BLS signature aggregation, rating it "Medium." Cloudflare upgraded it to "High" because failing to enforce distinct messages in certain aggregate signature schemes opens the door to rogue-key attacks, a well-known and highly practical exploit vector in distributed systems.
The Double-Edged Sword: AI-Generated Code #
This audit highlights a strange symmetry in modern software engineering. While AI agents are getting better at finding bugs in human-written code, AI-generated code is simultaneously introducing the exact same class of subtle, spec-violating vulnerabilities.
Shortly after the CIRCL audit, security researchers analyzed another Cloudflare project: an OAuth provider library written almost entirely using Anthropic's Claude. While Cloudflare's engineers thoroughly reviewed the code, independent analysis by security experts revealed several classic "AI-isms" that slipped through the cracks.
For instance, the AI-generated OAuth library implemented "YOLO CORS" by blindly reflecting the request's Origin
header back in the response. It also implemented the deprecated "implicit" grant (which was removed in OAuth 2.1) simply because the LLM suggested it when asked how to support public clients. Furthermore, the AI botched the implementation of HTTP Basic Authentication because it assumed standard Basic auth rules applied, failing to account for the OAuth spec's unique requirement to URL-encode credentials first.
This pattern suggests that LLMs suffer from a form of "vibe-compliance." They can write code that looks correct, passes basic functional tests, and reads beautifully, but they routinely miss the subtle "MUST" and "MUST NOT" requirements buried deep within RFCs.
The Developer Playbook: Integrating AI Auditing #
If you want to use AI to secure your codebase without drowning in false positives or missing critical flaws, you cannot simply paste your repository into a generic LLM prompt. The zkSecurity experiment succeeded because of a structured, multi-layered approach that developers should emulate:
Equip LLMs with "Skills": Raw models are bad at cryptography because they do not understand domain-specific invariants. The zkSecurity team achieved their results by wrapping the LLM in an environment where experts had explicitly encoded security heuristics, common vulnerability patterns, and API-specific rules.Mandate Human-in-the-Loop Triage: AI is cheap; validation is expensive. The AI pipeline produced a high volume of candidate findings. Human engineers were still required to write proof-of-concept exploits, verify if the code was reachable in production, and write the actual patches. Treat AI findings as a highly sensitive, noisy linter.Focus on Mathematical Invariants: LLMs excel at finding discrepancies between a formal specification (like a paper on threshold RSA) and the actual implementation (like casting tofloat64
). Use them to audit the translation layer between your design docs and your code.
AI is proving to be an incredibly pedantic assistant, capable of spotting the math homework errors that human developers overlook during late-night coding sessions. But until these models understand the context of deployment and the mechanics of actual exploitability, they remain a diagnostic tool, not a replacement for security engineering.
Sources & further reading #
AI Meets Cryptography 1: What AI Found in Cloudflare's Circl— blog.zksecurity.xyz - An early look at cryptographic watermarks for AI-generated content— blog.cloudflare.com - Recap of Cloudflare Security Week 2025: From Quantum Cryptography to AI Labyrinth - InfoQ— infoq.com - A look at CloudFlare's AI-coded OAuth library - Neil Madden— neilmadden.blog - Google, Cloudflare want post-quantum cryptography by 2029 | Information Age | ACS— ia.acs.org.au
Rachel Goldstein· Dev Tools Editor
Rachel has been embedded in the developer tooling ecosystem for nearly eight years, covering everything from IDE wars and package-manager drama to the quiet rise of AI-assisted coding. She has a soft spot for open-source maintainers and an unhealthy number of terminal emulators installed on a single laptop.
Discussion 0 #
No comments yet
Be the first to weigh in.