rustsec/advisory-db
1
0
Fork 0
mirror of https://github.com/rustsec/advisory-db.git synced 2025-12-27 01:54:07 -05:00
Code Issues Packages Projects Releases Wiki Activity
Files
826f224270ae91f92e45820ef08883ba676c0f86
advisory-db/crates/cggmp21/RUSTSEC-0000-0000.md
Denis Varlakov 826f224270 Report cggmp21 missing check vulnerability (#2481) 
Signed-off-by: Denis Varlakov <denis@dfns.co>
2025-11-25 12:10:07 +01:00

1006 B
Raw Blame History 

[advisory]
id = "RUSTSEC-0000-0000"
package = "cggmp21"
date = "2025-11-24"
url = "https://www.dfns.co/article/cggmp21-vulnerabilities-patched-and-explained"
categories = ["crypto-failure"]
keywords = ["zk-proof"]
aliases = ["CVE-2025-66016"]
[versions]
patched = [">= 0.6.3"]

Missing check in ZK proof in CGGMP21 Threshold Signing Protocol

Vulnerability concerns a missing check in the ZK proof that enables an attack in which single malicious signer can reconstruct full private key.

Patches

  • cggmp21 v0.6.3 is a patch release that contains a fix that introduces this specific missing check.
  • However, we recommend upgrading to cggmp24 v0.7.0-alpha.2 in which we've introduced many other security checks as a precaution. Follow the migration guidelines to upgrade.

References

Read our blog post to learn more.