rustsec-2022-0093
Vulnerability from osv_rustsec
Versions of ed25519-dalek prior to v2.0 model private and public keys as
separate types which can be assembled into a Keypair, and also provide APIs
for serializing and deserializing 64-byte private/public keypairs.
Such APIs and serializations are inherently unsafe as the public key is one of
the inputs used in the deterministic computation of the S part of the signature,
but not in the R value. An adversary could somehow use the signing function as
an oracle that allows arbitrary public keys as input can obtain two signatures
for the same message sharing the same R and only differ on the S part.
Unfortunately, when this happens, one can easily extract the private key.
Revised public APIs in v2.0 of ed25519-dalek do NOT allow a decoupled
private/public keypair as signing input, except as part of specially labeled
"hazmat" APIs which are clearly labeled as being dangerous if misused.
{
"affected": [
{
"database_specific": {
"categories": [
"crypto-failure"
],
"cvss": null,
"informational": null
},
"ecosystem_specific": {
"affected_functions": null,
"affects": {
"arch": [],
"functions": [],
"os": []
}
},
"package": {
"ecosystem": "crates.io",
"name": "ed25519-dalek",
"purl": "pkg:cargo/ed25519-dalek"
},
"ranges": [
{
"events": [
{
"introduced": "0.0.0-0"
},
{
"fixed": "2.0.0"
}
],
"type": "SEMVER"
}
],
"versions": []
}
],
"aliases": [
"CVE-2022-50237",
"GHSA-w5vr-6qhr-36cc"
],
"database_specific": {
"license": "CC0-1.0"
},
"details": "Versions of `ed25519-dalek` prior to v2.0 model private and public keys as\nseparate types which can be assembled into a `Keypair`, and also provide APIs\nfor serializing and deserializing 64-byte private/public keypairs.\n\nSuch APIs and serializations are inherently unsafe as the public key is one of\nthe inputs used in the deterministic computation of the `S` part of the signature,\nbut not in the `R` value. An adversary could somehow use the signing function as\nan oracle that allows arbitrary public keys as input can obtain two signatures\nfor the same message sharing the same `R` and only differ on the `S` part.\n\nUnfortunately, when this happens, one can easily extract the private key.\n\nRevised public APIs in v2.0 of `ed25519-dalek` do NOT allow a decoupled\nprivate/public keypair as signing input, except as part of specially labeled\n\"hazmat\" APIs which are clearly labeled as being dangerous if misused.",
"id": "RUSTSEC-2022-0093",
"modified": "2025-10-28T06:02:18Z",
"published": "2022-06-11T12:00:00Z",
"references": [
{
"type": "PACKAGE",
"url": "https://crates.io/crates/ed25519-dalek"
},
{
"type": "ADVISORY",
"url": "https://rustsec.org/advisories/RUSTSEC-2022-0093.html"
},
{
"type": "WEB",
"url": "https://github.com/MystenLabs/ed25519-unsafe-libs"
}
],
"related": [],
"severity": [],
"summary": "Double Public Key Signing Function Oracle Attack on `ed25519-dalek`"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.