GHSA-8frv-q972-9rq5
Vulnerability from github
Impact
This attack is against presignatures used in very specific context:
* Presignatures + HD wallets derivation: security level reduces to 85 bits \
Previously users could generate a presignature, and then choose a HD derivation path while issuing a partial signature via Presignature::set_derivation_path, which is malleable to attack that reduces target security level. To mitigate, this method has been removed from API.
* Presignatures + "raw signing" (when signer signs a hash without knowing an original message): results into signature forgery attack \
Previously, users were able to configure Presignature::issue_partial_signature with hashed message without ever providing original mesage. In new API, this method only accepts digests for which original message has been observed.
Patches
cggmp24 v0.7.0-alpha.2 release contains API changes that make it impossible to use presignatures in contexts in which it reduces security. Follow migration guidelines to upgrade.
Workarounds
Users can continue using un-patched versions of library as long as they don't use presignatures in said scenarios where it weakens system security. To be sure, migrate to patched version that excludes presignatures from being used in such scenarios.
References
Read this blog post to learn more.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "cggmp21"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "0.6.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "crates.io",
"name": "cggmp24"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.7.0-alpha.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-66017"
],
"database_specific": {
"cwe_ids": [
"CWE-327"
],
"github_reviewed": true,
"github_reviewed_at": "2025-11-25T20:42:28Z",
"nvd_published_at": "2025-11-25T20:16:00Z",
"severity": "HIGH"
},
"details": "### Impact\nThis attack is against presignatures used in very specific context:\n* Presignatures + HD wallets derivation: security level reduces to 85 bits \\\n Previously users could generate a presignature, and then choose a HD derivation path while issuing a partial signature via [`Presignature::set_derivation_path`](https://docs.rs/cggmp21/0.6.3/cggmp21/signing/struct.Presignature.html#method.set_derivation_path), which is malleable to attack that reduces target security level. To mitigate, this method has been removed from API.\n* Presignatures + \"raw signing\" (when signer signs a hash without knowing an original message): results into signature forgery attack \\\n Previously, users were able to configure [`Presignature::issue_partial_signature`](https://docs.rs/cggmp21/0.6.3/cggmp21/signing/struct.Presignature.html#method.issue_partial_signature) with hashed message without ever providing original mesage. In new API, this method only accepts digests for which original message has been observed.\n\n### Patches\n`cggmp24 v0.7.0-alpha.2` release contains API changes that make it impossible to use presignatures in contexts in which it reduces security. Follow [migration guidelines](https://github.com/LFDT-Lockness/cggmp21/blob/v0.7.0-alpha.2/CGGMP21_MIGRATION.md) to upgrade.\n\n### Workarounds\nUsers can continue using un-patched versions of library as long as they don\u0027t use presignatures in said scenarios where it weakens system security. To be sure, migrate to patched version that excludes presignatures from being used in such scenarios.\n\n### References\nRead this [blog post](https://www.dfns.co/article/cggmp21-vulnerabilities-patched-and-explained) to learn more.",
"id": "GHSA-8frv-q972-9rq5",
"modified": "2025-11-27T09:00:00Z",
"published": "2025-11-25T20:42:28Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/LFDT-Lockness/cggmp21/security/advisories/GHSA-8frv-q972-9rq5"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66017"
},
{
"type": "WEB",
"url": "https://github.com/LFDT-Lockness/cggmp21/commit/9d98157e151596573cb071da59d27a4e0ac9b8dc"
},
{
"type": "PACKAGE",
"url": "https://github.com/LFDT-Lockness/cggmp21"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2025-0127.html"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2025-0128.html"
},
{
"type": "WEB",
"url": "https://www.dfns.co/article/cggmp21-vulnerabilities-patched-and-explained"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "cggmp24 and cggmp21 are vulnerable to signature forgery through altered presignatures"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.