rustsec/advisory-db
1
0
Fork 0
mirror of https://github.com/rustsec/advisory-db.git synced 2025-12-27 01:54:07 -05:00
Code Issues Packages Projects Releases Wiki Activity

Report cggmp21 missing check vulnerability (#2481)

Browse Source 
Signed-off-by: Denis Varlakov <denis@dfns.co>
This commit is contained in:
Denis Varlakov
2025-11-25 12:10:07 +01:00
committed by GitHub
parent 01b3e86c7a
commit 826f224270
2 changed files with 47 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
crates/cggmp21/RUSTSEC-0000-0000.md Normal file
View File

@@ -0,0 +1,23 @@
```toml
[advisory]
id = "RUSTSEC-0000-0000"
package = "cggmp21"
date = "2025-11-24"
url = "https://www.dfns.co/article/cggmp21-vulnerabilities-patched-and-explained"
categories = ["crypto-failure"]
keywords = ["zk-proof"]
aliases = ["CVE-2025-66016"]
[versions]
patched = [">= 0.6.3"]
```
# Missing check in ZK proof in CGGMP21 Threshold Signing Protocol
Vulnerability concerns a missing check in the ZK proof that enables an attack in which single malicious signer can reconstruct full private key.
### Patches
* `cggmp21 v0.6.3` is a patch release that contains a fix that introduces this specific missing check.
* However, we recommend upgrading to `cggmp24 v0.7.0-alpha.2` in which we've introduced many other security checks as a precaution. Follow the [migration guidelines](https://github.com/LFDT-Lockness/cggmp21/blob/v0.7.0-alpha.2/CGGMP21_MIGRATION.md) to upgrade.
### References
Read our [blog post](https://www.dfns.co/article/cggmp21-vulnerabilities-patched-and-explained) to learn more.

24
crates/cggmp24/RUSTSEC-0000-0000.md Normal file
View File

@@ -0,0 +1,24 @@
```toml
[advisory]
id = "RUSTSEC-0000-0000"
package = "cggmp24"
date = "2025-11-24"
url = "https://www.dfns.co/article/cggmp21-vulnerabilities-patched-and-explained"
categories = ["crypto-failure"]
keywords = ["zk-proof"]
aliases = ["CVE-2025-66016"]
[versions]
patched = [">= 0.7.0-alpha.2"]
```
# Missing check in ZK proof in CGGMP21 Threshold Signing Protocol
Vulnerability concerns a missing check in the ZK proof that enables an attack in which single malicious signer can reconstruct full private key.
### Patches
* `cggmp21 v0.6.3` is a patch release that contains a fix that introduces this specific missing check.
* However, we recommend upgrading to `cggmp24 v0.7.0-alpha.2` in which we've introduced many other security checks as a precaution. Follow the [migration guidelines](https://github.com/LFDT-Lockness/cggmp21/blob/v0.7.0-alpha.2/CGGMP21_MIGRATION.md) to upgrade.
### References
Read our [blog post](https://www.dfns.co/article/cggmp21-vulnerabilities-patched-and-explained) to learn more.