CVE-2025-53359: ethereum does not check transaction malleability for EIP-2930, EIP-1559 and EIP-7702 transactions
(updated )
Prior to ethereum crate v0.18.0, signature malleability (according to EIP-2) was only checked for “legacy” transactions, but not for EIP-2930, EIP-1559 and EIP-7702 transactions.
This is a specification deviation and therefore a high severity advisory if the ethereum crate is used for Ethereum mainnet. Note that signature malleability itself is not a security issue, and therefore if the ethereum crate is used on a single-implementation blockchain, it’s a low/informational severity advisory.
References
- github.com/advisories/GHSA-3w94-vq2x-v5wr
- github.com/rust-ethereum/ethereum
- github.com/rust-ethereum/ethereum/commit/2dd9d1d5d0936ec7350093ff3a5a7169a349db77
- github.com/rust-ethereum/ethereum/pull/67
- github.com/rust-ethereum/ethereum/security/advisories/GHSA-3w94-vq2x-v5wr
- nvd.nist.gov/vuln/detail/CVE-2025-53359
Code Behaviors & Features
Detect and mitigate CVE-2025-53359 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →