CVE-2025-66017: cggmp24 and cggmp21 are vulnerable to signature forgery through altered presignatures
(updated )
This attack is against presignatures used in very specific context:
- Presignatures + HD wallets derivation: security level reduces to 85 bits
Previously users could generate a presignature, and then choose a HD derivation path while issuing a partial signature viaPresignature::set_derivation_path, which is malleable to attack that reduces target security level. To mitigate, this method has been removed from API. - Presignatures + “raw signing” (when signer signs a hash without knowing an original message): results into signature forgery attack
Previously, users were able to configurePresignature::issue_partial_signaturewith hashed message without ever providing original mesage. In new API, this method only accepts digests for which original message has been observed.
References
- github.com/LFDT-Lockness/cggmp21
- github.com/LFDT-Lockness/cggmp21/commit/9d98157e151596573cb071da59d27a4e0ac9b8dc
- github.com/LFDT-Lockness/cggmp21/security/advisories/GHSA-8frv-q972-9rq5
- github.com/advisories/GHSA-8frv-q972-9rq5
- nvd.nist.gov/vuln/detail/CVE-2025-66017
- rustsec.org/advisories/RUSTSEC-2025-0127.html
- rustsec.org/advisories/RUSTSEC-2025-0128.html
- www.dfns.co/article/cggmp21-vulnerabilities-patched-and-explained
Code Behaviors & Features
Detect and mitigate CVE-2025-66017 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →