Skip to content

Commit 826f224

Browse files
survivedsurvived
authored
Report cggmp21 missing check vulnerability (#2481)
Signed-off-by: Denis Varlakov <[email protected]>
1 parent 01b3e86 commit 826f224

File tree

2 files changed

+47
-0
lines changed

2 files changed

+47
-0
lines changed

crates/cggmp21/RUSTSEC-0000-0000.md

Lines changed: 23 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,23 @@
1+
```toml
2+
[advisory]
3+
id = "RUSTSEC-0000-0000"
4+
package = "cggmp21"
5+
date = "2025-11-24"
6+
url = "https://www.dfns.co/article/cggmp21-vulnerabilities-patched-and-explained"
7+
categories = ["crypto-failure"]
8+
keywords = ["zk-proof"]
9+
aliases = ["CVE-2025-66016"]
10+
[versions]
11+
patched = [">= 0.6.3"]
12+
```
13+
14+
# Missing check in ZK proof in CGGMP21 Threshold Signing Protocol
15+
16+
Vulnerability concerns a missing check in the ZK proof that enables an attack in which single malicious signer can reconstruct full private key.
17+
18+
### Patches
19+
* `cggmp21 v0.6.3` is a patch release that contains a fix that introduces this specific missing check.
20+
* However, we recommend upgrading to `cggmp24 v0.7.0-alpha.2` in which we've introduced many other security checks as a precaution. Follow the [migration guidelines](https://github.com/LFDT-Lockness/cggmp21/blob/v0.7.0-alpha.2/CGGMP21_MIGRATION.md) to upgrade.
21+
22+
### References
23+
Read our [blog post](https://www.dfns.co/article/cggmp21-vulnerabilities-patched-and-explained) to learn more.

crates/cggmp24/RUSTSEC-0000-0000.md

Lines changed: 24 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,24 @@
1+
```toml
2+
[advisory]
3+
id = "RUSTSEC-0000-0000"
4+
package = "cggmp24"
5+
date = "2025-11-24"
6+
url = "https://www.dfns.co/article/cggmp21-vulnerabilities-patched-and-explained"
7+
categories = ["crypto-failure"]
8+
keywords = ["zk-proof"]
9+
aliases = ["CVE-2025-66016"]
10+
[versions]
11+
patched = [">= 0.7.0-alpha.2"]
12+
```
13+
14+
# Missing check in ZK proof in CGGMP21 Threshold Signing Protocol
15+
16+
Vulnerability concerns a missing check in the ZK proof that enables an attack in which single malicious signer can reconstruct full private key.
17+
18+
### Patches
19+
* `cggmp21 v0.6.3` is a patch release that contains a fix that introduces this specific missing check.
20+
* However, we recommend upgrading to `cggmp24 v0.7.0-alpha.2` in which we've introduced many other security checks as a precaution. Follow the [migration guidelines](https://github.com/LFDT-Lockness/cggmp21/blob/v0.7.0-alpha.2/CGGMP21_MIGRATION.md) to upgrade.
21+
22+
### References
23+
Read our [blog post](https://www.dfns.co/article/cggmp21-vulnerabilities-patched-and-explained) to learn more.
24+

0 commit comments

Comments
 (0)