rustsec-2025-0127
Vulnerability from osv_rustsec
Published
2025-11-24 12:00
Modified
2025-11-26 06:00
Summary
CGGMP21 presignatures can be used in the way that significantly reduces security
Details

This attack is against presignatures used in very specific context: * Presignatures + HD wallets derivation: security level reduces to 85 bits \ Previously you could generate a presignature, and then choose a HD derivation path while issuing a partial signature via Presignature::set_derivation_path, which is malleable to attack that reduces target security level. To mitigate, this method has been removed from API. * Presignatures + "raw signing" (when signer signs a hash without knowing an original message): results into signature forgery attack \ Previously, you could use Presignature::issue_partial_signature with hashed message without ever providing original mesage. In new API, this method only accepts digests for which original message has been observed.

Patches

cggmp24 v0.7.0-alpha.2 release contains API changes that make it impossible to use presignatures in contexts in which it reduces security. Follow the migration guidelines to upgrade.

Workarounds

You can continue using un-patched versions of library as long as you don't use presignatures in said scenarios where it weakens system security. To be sure, migrate to patched version that excludes presignatures from being used in such scenarios.

References

Read our blog post to learn more.

To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "categories": [
          "crypto-failure"
        ],
        "cvss": null,
        "informational": null
      },
      "ecosystem_specific": {
        "affected_functions": null,
        "affects": {
          "arch": [],
          "functions": [],
          "os": []
        }
      },
      "package": {
        "ecosystem": "crates.io",
        "name": "cggmp21",
        "purl": "pkg:cargo/cggmp21"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.0.0-0"
            }
          ],
          "type": "SEMVER"
        }
      ],
      "versions": []
    }
  ],
  "aliases": [
    "CVE-2025-66017",
    "GHSA-8frv-q972-9rq5"
  ],
  "database_specific": {
    "license": "CC0-1.0"
  },
  "details": "This attack is against presignatures used in very specific context:\n* Presignatures + HD wallets derivation: security level reduces to 85 bits \\\n  Previously you could generate a presignature, and then choose a HD derivation path while issuing a partial signature via [`Presignature::set_derivation_path`](https://docs.rs/cggmp21/0.6.3/cggmp21/signing/struct.Presignature.html#method.set_derivation_path), which is malleable to attack that reduces target security level. To mitigate, this method has been removed from API.\n* Presignatures + \"raw signing\" (when signer signs a hash without knowing an original message): results into signature forgery attack \\\n  Previously, you could use [`Presignature::issue_partial_signature`](https://docs.rs/cggmp21/0.6.3/cggmp21/signing/struct.Presignature.html#method.issue_partial_signature) with hashed message without ever providing original mesage. In new API, this method only accepts digests for which original message has been observed.\n\n### Patches\n`cggmp24 v0.7.0-alpha.2` release contains API changes that make it impossible to use presignatures in contexts in which it reduces security. Follow the [migration guidelines](https://github.com/LFDT-Lockness/cggmp21/blob/v0.7.0-alpha.2/CGGMP21_MIGRATION.md) to upgrade.\n\n### Workarounds\nYou can continue using un-patched versions of library as long as you don\u0027t use presignatures in said scenarios where it weakens system security. To be sure, migrate to patched version that excludes presignatures from being used in such scenarios.\n\n### References\nRead our [blog post](https://www.dfns.co/article/cggmp21-vulnerabilities-patched-and-explained) to learn more.",
  "id": "RUSTSEC-2025-0127",
  "modified": "2025-11-26T06:00:45Z",
  "published": "2025-11-24T12:00:00Z",
  "references": [
    {
      "type": "PACKAGE",
      "url": "https://crates.io/crates/cggmp21"
    },
    {
      "type": "ADVISORY",
      "url": "https://rustsec.org/advisories/RUSTSEC-2025-0127.html"
    },
    {
      "type": "WEB",
      "url": "https://www.dfns.co/article/cggmp21-vulnerabilities-patched-and-explained"
    }
  ],
  "related": [],
  "severity": [],
  "summary": "CGGMP21 presignatures can be used in the way that significantly reduces security"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.