mirror of https://github.com/rustsec/advisory-db.git synced 2025-12-27 01:54:07 -05:00

Files

djc f5fdfe73c0 Assigned RUSTSEC-2025-0129 to cggmp21, RUSTSEC-2025-0130 to cggmp24

2025-11-25 12:10:55 +01:00

1015 B

Raw Blame History

[advisory]
id = "RUSTSEC-2025-0130"
package = "cggmp24"
date = "2025-11-24"
url = "https://www.dfns.co/article/cggmp21-vulnerabilities-patched-and-explained"
categories = ["crypto-failure"]
keywords = ["zk-proof"]
aliases = ["CVE-2025-66016"]
[versions]
patched = [">= 0.7.0-alpha.2"]

Missing check in ZK proof in CGGMP21 Threshold Signing Protocol

Vulnerability concerns a missing check in the ZK proof that enables an attack in which single malicious signer can reconstruct full private key.

Patches

cggmp21 v0.6.3 is a patch release that contains a fix that introduces this specific missing check.
However, we recommend upgrading to cggmp24 v0.7.0-alpha.2 in which we've introduced many other security checks as a precaution. Follow the migration guidelines to upgrade.

References

Read our blog post to learn more.

1015 B Raw Blame History

Missing check in ZK proof in CGGMP21 Threshold Signing Protocol

Patches

References

1015 B

Raw Blame History