CVE-2025-53359
BaseFortify
Publication date: 2025-07-02
Last updated on: 2025-07-03
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-754 | The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability concerns a signature malleability validation issue in the Rust-based ethereum crate versions prior to 0.18.0. The crate only enforced signature malleability checks, as defined by EIP-2, on legacy Ethereum transactions, but neglected to perform these checks on newer transaction types introduced by EIP-2930, EIP-1559, and EIP-7702. This omission is a deviation from the Ethereum specification. Signature malleability itself is not inherently a security vulnerability, but the lack of validation on these newer transaction types could affect transaction validity and consensus on multi-implementation blockchains. The issue was fixed in version 0.18.0 by extending signature validation to all transaction types. [1]
How can this vulnerability impact me? :
If you use the ethereum crate versions prior to 0.18.0 on a blockchain with multiple implementations (like the Ethereum mainnet), this vulnerability could lead to acceptance of malleable signatures on newer transaction types, potentially causing issues with transaction validity and consensus. However, if you use the crate on a single-implementation blockchain, the risk is lower since signature malleability itself is not a direct security issue. The vulnerability could cause inconsistencies in transaction processing and validation, which might affect the reliability of your blockchain interactions. Upgrading to version 0.18.0 or manually checking transaction malleability is recommended to mitigate this impact. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability relates to signature malleability checks missing for certain Ethereum transaction types in the rust-ethereum crate prior to version 0.18.0. Detection involves verifying the version of the ethereum crate in use and checking if transactions conforming to EIP-2930, EIP-1559, or EIP-7702 are properly validated for signature malleability. Since this is a library-level issue, direct network commands are not provided. However, you can detect vulnerable versions by checking the crate version in your Rust project dependencies (e.g., using `cargo tree | grep ethereum`) and inspecting transaction validation logs or behavior for acceptance of malleable signatures. Manual malleability checks outside the crate can be implemented as a workaround. No specific network commands are provided in the resources. [1]
What immediate steps should I take to mitigate this vulnerability?
The recommended immediate step to mitigate this vulnerability is to upgrade the ethereum crate to version 0.18.0 or later, where the signature malleability checks have been properly enforced across all transaction types (legacy, EIP-2930, EIP-1559, and EIP-7702). Alternatively, if upgrading is not immediately possible, implement manual signature malleability checks outside of the crate to ensure that transactions conform to the expected signature invariants. This will prevent acceptance of malleable signatures and maintain consensus correctness. [1]