CVE-2022-50237
BaseFortify
Publication date: 2025-07-28
Last updated on: 2025-07-29
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ed25519 | elisabeth | * |
| erlang | libdecaf | * |
| horse25519 | * | * |
| gnu | nettle | * |
| ed25519-donna | * | * |
| mystenlabs | ed25519-dalek | * |
| monocypher | * | * |
| polkadot-js | wasm | * |
| trezor | firmware | * |
| python | python-pure25519 | From 3.13.1 (inc) to 3.13.11 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-497 | The product does not properly prevent sensitive system-level information from being accessed by unauthorized actors who do not have the same level of access to the underlying system as the product does. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability CVE-2022-50237 affects the ed25519-dalek Rust crate (before version 2.0) and arises because the signing function API allows an attacker to supply arbitrary public keys independently of the private key. Ed25519 signatures are deterministic and consist of two components: R and S. The S component is computed using the public key, while R is not. By exploiting the signing function as an oracle with different public keys on the same message, an attacker can obtain two signatures sharing the same R but different S values. This enables the attacker to compute and recover the private key, compromising the security of the keypair. [1, 2]
How can this vulnerability impact me? :
This vulnerability can lead to the complete compromise of your private key used in Ed25519 digital signatures. If exploited, an attacker can recover your private key by using the signing function as an oracle with arbitrary public keys. With the private key exposed, the attacker can forge signatures, impersonate you, and decrypt or manipulate data that relies on the security of that keypair, severely undermining the security of your cryptographic operations. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by identifying if your system or software uses an affected Ed25519 library that exposes a signing function API allowing independent input of secret and public keys, such as ed25519-dalek prior to version 2.0. Detection involves checking the version of the ed25519-dalek crate or other Ed25519 libraries in use and verifying if they allow decoupled public keys during signing. There are no specific network detection commands provided, but reviewing your software dependencies and their versions is essential. Additionally, testing signing functions with arbitrary public keys to see if signatures with the same R but different S values can be produced may indicate vulnerability. No explicit commands are provided in the resources. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading the ed25519-dalek crate to version 2.0 or later, which revises the public APIs to prevent unsafe use of decoupled private/public keypairs. For other affected libraries, apply patches or updates that enforce public key integrity checks or internally derive the public key during signing. Avoid using signing APIs that accept arbitrary public keys independently from private keys. If you maintain custom implementations, ensure the public key is either stored alongside the private key or re-derived internally to prevent misuse. Reviewing and updating all affected Ed25519 libraries in your environment is critical to mitigate this vulnerability. [1, 2]