CVE-2025-66017
BaseFortify
Publication date: 2025-11-25
Last updated on: 2025-11-25
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| cggmp24 | cggmp24 | 0.7.0-alpha.2 |
| cggmp21 | cggmp21 | 0.6.3 |
| cggmp24 | cggmp24 | 0.7.0-alpha.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-327 | The product uses a broken or risky cryptographic algorithm or protocol. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability exists in versions 0.6.3 and prior of cggmp21 and version 0.7.0-alpha.1 of cggmp24, where presignatures can be used in a way that significantly reduces security in the CGGMP24 ECDSA TSS protocol. This protocol supports 1-round signing with preprocessing rounds, identifiable abort, and key refresh. The issue is addressed in cggmp24 version 0.7.0-alpha.2 by API changes that prevent insecure use of presignatures.
How can this vulnerability impact me? :
This vulnerability can significantly reduce the security of the signing process in affected versions of the CGGMP24 protocol, potentially allowing attackers to exploit presignatures to compromise cryptographic operations, which may lead to unauthorized actions or data breaches.
What immediate steps should I take to mitigate this vulnerability?
Upgrade to cggmp24 version 0.7.0-alpha.2 or later, as this version contains API changes that prevent the insecure use of presignatures which significantly reduces security.