GHSA-v6x3-9r38-r27q (CVE-2025-67897)

Details

In Sequoia before 2.1.0, aes_key_unwrap panics if passed a ciphertext that is too short. A remote attacker can take advantage of this issue to crash an application by sending a victim an encrypted message with a crafted PKESK or SKESK packet.

Affected Packages

sequoia-openpgp

crates.io

Fixed in:

2.1.0

References

WEBhttps://bugs.debian.org/1122582 ADVISORYhttps://github.com/advisories/GHSA-v6x3-9r38-r27q PACKAGEhttps://gitlab.com/sequoia-pgp/sequoia WEBhttps://gitlab.com/sequoia-pgp/sequoia/-/blob/b59886e5e7bdf7169ed330f309a6633d131776e5/openpgp/NEWS#L7-L26 WEBhttps://gitlab.com/sequoia-pgp/sequoia/-/commit/b59886e5e7bdf7169ed330f309a6633d131776e5 ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-67897 WEBhttps://rustsec.org/advisories/RUSTSEC-2025-0136.html

GHSA-v6x3-9r38-r27q

Details

Affected Packages

References

Aliases

CVSS Analysis

Related

Ecosystems

Timeline