Back to security portal
Missing confirmation in the ECDHSessionKey call
Reported on November 26, 2023
The Trezor Safe 3 returns the ECDHSessionKey without requiring appropriate user interaction, resulting in the omission of address confirmation screens in the user interaction workflow.
This concerns only the SSH functionality in Trezor and was fixed in 2.6.4.
Reported by Mathias Herberts
Trezor Safe 3
Resolved vulnerabilities
Reported by community. Investigated. Resolved. Because your security is never optional.
- Reflected cross-site scripting (XSS) vulnerability on connect.trezor.io via hash fragment script injectionMarch 25, 2026
- EIP-712 Domain Spoofing via Double-FetchMarch 21, 2026
- Open redirect on affiliate pageMarch 20, 2026
- Biometric Verification bypassed in Trezor Suite with external monitorMarch 9, 2026
- Insufficient entropy on Trezor Model One with 12/18 wordsFebruary 6, 2026
- Bug in multisig verificationJanuary 10, 2026