CVE-2025-52556
Awaiting Analysis Awaiting Analysis - Queue
BaseFortify

Publication date: 2025-06-21

Last updated on: 2025-06-23

Assigner: GitHub, Inc.

Description
rfc3161-client is a Python library implementing the Time-Stamp Protocol (TSP) described in RFC 3161. Prior to version 1.0.3, there is a flaw in the timestamp response signature verification logic. In particular, chain verification is performed against the TSR's embedded certificates up to the trusted root(s), but fails to verify the TSR's own signature against the timestamping leaf certificates. Consequently, vulnerable versions perform insufficient signature validation to properly consider a TSR verified, as the attacker can introduce any TSR signature so long as the embedded leaf chains up to some root TSA. This issue has been patched in version 1.0.3. There is no workaround for this issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-06-21
Last Modified
2025-06-23
Generated
2026-05-07
AI Q&A
2025-06-21
EPSS Evaluated
2026-05-05
NVD
CVE-2025-52556
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-347 The product does not verify, or incorrectly verifies, the cryptographic signature for data.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2025-52556 is a vulnerability in the rfc3161-client Python library versions 1.0.2 and earlier. The flaw lies in the timestamp response (TSR) signature verification process. While the library correctly verifies the certificate chain up to trusted root authorities, it fails to verify the TSR's own signature against the timestamping leaf certificate. This means an attacker can supply any TSR signature as long as the embedded certificate chain leads to a trusted root TSA, effectively bypassing proper signature validation. This improper verification is classified under CWE-347 (Improper Verification of Cryptographic Signature). The issue was fixed in version 1.0.3. [1]


How can this vulnerability impact me? :

This vulnerability can allow an attacker to forge or tamper with timestamp responses without detection, as the signature on the timestamp response is not properly verified. This undermines the trustworthiness of timestamps, which are critical for proving the existence or integrity of data at a certain time. As a result, attackers could introduce fraudulent timestamps that appear valid, potentially compromising systems or processes that rely on accurate and secure timestamping. [1]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by checking the version of the rfc3161-client Python package installed on your system. Versions 1.0.2 and earlier are vulnerable. There is no direct command to detect exploitation on the network or system from the provided information. To verify the installed version, you can run: `pip show rfc3161-client` or `pip list | grep rfc3161-client`. Additionally, testing timestamp responses for proper signature verification using the fixed version's verification method can help detect improper validation, but no specific detection commands are provided. [1, 2]


What immediate steps should I take to mitigate this vulnerability?

The immediate step to mitigate this vulnerability is to upgrade the rfc3161-client Python package to version 1.0.3 or later, where the flaw in timestamp response signature verification is patched. There are no workarounds available for this issue, so upgrading is essential. [1]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart