GHSA-8FRV-Q972-9RQ5
Vulnerability from github – Published: 2025-11-25 20:42 – Updated: 2025-11-27 09:00Impact
This attack is against presignatures used in very specific context:
* Presignatures + HD wallets derivation: security level reduces to 85 bits \
Previously users could generate a presignature, and then choose a HD derivation path while issuing a partial signature via Presignature::set_derivation_path, which is malleable to attack that reduces target security level. To mitigate, this method has been removed from API.
* Presignatures + "raw signing" (when signer signs a hash without knowing an original message): results into signature forgery attack \
Previously, users were able to configure Presignature::issue_partial_signature with hashed message without ever providing original mesage. In new API, this method only accepts digests for which original message has been observed.
Patches
cggmp24 v0.7.0-alpha.2 release contains API changes that make it impossible to use presignatures in contexts in which it reduces security. Follow migration guidelines to upgrade.
Workarounds
Users can continue using un-patched versions of library as long as they don't use presignatures in said scenarios where it weakens system security. To be sure, migrate to patched version that excludes presignatures from being used in such scenarios.
References
Read this blog post to learn more.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "cggmp21"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "0.6.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "crates.io",
"name": "cggmp24"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.7.0-alpha.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-66017"
],
"database_specific": {
"cwe_ids": [
"CWE-327"
],
"github_reviewed": true,
"github_reviewed_at": "2025-11-25T20:42:28Z",
"nvd_published_at": "2025-11-25T20:16:00Z",
"severity": "HIGH"
},
"details": "### Impact\nThis attack is against presignatures used in very specific context:\n* Presignatures + HD wallets derivation: security level reduces to 85 bits \\\n Previously users could generate a presignature, and then choose a HD derivation path while issuing a partial signature via [`Presignature::set_derivation_path`](https://docs.rs/cggmp21/0.6.3/cggmp21/signing/struct.Presignature.html#method.set_derivation_path), which is malleable to attack that reduces target security level. To mitigate, this method has been removed from API.\n* Presignatures + \"raw signing\" (when signer signs a hash without knowing an original message): results into signature forgery attack \\\n Previously, users were able to configure [`Presignature::issue_partial_signature`](https://docs.rs/cggmp21/0.6.3/cggmp21/signing/struct.Presignature.html#method.issue_partial_signature) with hashed message without ever providing original mesage. In new API, this method only accepts digests for which original message has been observed.\n\n### Patches\n`cggmp24 v0.7.0-alpha.2` release contains API changes that make it impossible to use presignatures in contexts in which it reduces security. Follow [migration guidelines](https://github.com/LFDT-Lockness/cggmp21/blob/v0.7.0-alpha.2/CGGMP21_MIGRATION.md) to upgrade.\n\n### Workarounds\nUsers can continue using un-patched versions of library as long as they don\u0027t use presignatures in said scenarios where it weakens system security. To be sure, migrate to patched version that excludes presignatures from being used in such scenarios.\n\n### References\nRead this [blog post](https://www.dfns.co/article/cggmp21-vulnerabilities-patched-and-explained) to learn more.",
"id": "GHSA-8frv-q972-9rq5",
"modified": "2025-11-27T09:00:00Z",
"published": "2025-11-25T20:42:28Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/LFDT-Lockness/cggmp21/security/advisories/GHSA-8frv-q972-9rq5"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66017"
},
{
"type": "WEB",
"url": "https://github.com/LFDT-Lockness/cggmp21/commit/9d98157e151596573cb071da59d27a4e0ac9b8dc"
},
{
"type": "PACKAGE",
"url": "https://github.com/LFDT-Lockness/cggmp21"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2025-0127.html"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2025-0128.html"
},
{
"type": "WEB",
"url": "https://www.dfns.co/article/cggmp21-vulnerabilities-patched-and-explained"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "cggmp24 and cggmp21 are vulnerable to signature forgery through altered presignatures"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.