Vulnerability-Lookup

CVE-2025-27498 (GCVE-0-2025-27498)

Vulnerability from cvelistv5 – Published: 2025-03-03 16:52 – Updated: 2025-03-03 17:32

Title

AEADs/ascon-aead: Plaintext exposed in decrypt_in_place_detached even on tag verification failure

Summary

aes-gcm is a pure Rust implementation of the AES-GCM. In decrypt_in_place_detached, the decrypted ciphertext (which is the correct ciphertext) is exposed even if the tag is incorrect. This is because in decrypt_inplace in asconcore.rs, tag verification causes an error to be returned with the plaintext contents still in buffer. The vulnerability is fixed in 0.4.3.

Severity ?

5.6 (Medium)


                        
                          CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:A/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N

CWE

CWE-347 - Improper Verification of Cryptographic Signature

Assigner

GitHub_M

References

URL

Tags

	https://github.com/RustCrypto/AEADs/security/advi…	x_refsource_CONFIRM
	https://github.com/RustCrypto/AEADs/commit/d1d749…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	RustCrypto	AEADs	Affected: < 0.4.3

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-27498",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-03-03T17:26:48.023206Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-03T17:32:24.640Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "AEADs",
          "vendor": "RustCrypto",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.4.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "aes-gcm is a pure Rust implementation of the AES-GCM. In decrypt_in_place_detached, the decrypted ciphertext (which is the correct ciphertext) is exposed even if the tag is incorrect. This is because in decrypt_inplace in asconcore.rs, tag verification causes an error to be returned with the plaintext contents still in buffer. The vulnerability is fixed in 0.4.3."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "HIGH",
            "attackRequirements": "NONE",
            "attackVector": "LOCAL",
            "baseScore": 5.6,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "ACTIVE",
            "vectorString": "CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:A/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "HIGH"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-347",
              "description": "CWE-347: Improper Verification of Cryptographic Signature",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-03-03T16:52:02.750Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/RustCrypto/AEADs/security/advisories/GHSA-r38m-44fw-h886",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/RustCrypto/AEADs/security/advisories/GHSA-r38m-44fw-h886"
        },
        {
          "name": "https://github.com/RustCrypto/AEADs/commit/d1d749ba57e38e65b0e037cd744d0b17f7254037",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/RustCrypto/AEADs/commit/d1d749ba57e38e65b0e037cd744d0b17f7254037"
        }
      ],
      "source": {
        "advisory": "GHSA-r38m-44fw-h886",
        "discovery": "UNKNOWN"
      },
      "title": "AEADs/ascon-aead: Plaintext exposed in decrypt_in_place_detached even on tag verification failure"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-27498",
    "datePublished": "2025-03-03T16:52:02.750Z",
    "dateReserved": "2025-02-26T18:11:52.304Z",
    "dateUpdated": "2025-03-03T17:32:24.640Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"cna\": {\"title\": \"AEADs/ascon-aead: Plaintext exposed in decrypt_in_place_detached even on tag verification failure\", \"problemTypes\": [{\"descriptions\": [{\"cweId\": \"CWE-347\", \"lang\": \"en\", \"description\": \"CWE-347: Improper Verification of Cryptographic Signature\", \"type\": \"CWE\"}]}], \"metrics\": [{\"cvssV4_0\": {\"attackVector\": \"LOCAL\", \"attackComplexity\": \"HIGH\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"ACTIVE\", \"vulnConfidentialityImpact\": \"LOW\", \"vulnIntegrityImpact\": \"HIGH\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"baseScore\": 5.6, \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:A/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N\", \"version\": \"4.0\"}}], \"references\": [{\"name\": \"https://github.com/RustCrypto/AEADs/security/advisories/GHSA-r38m-44fw-h886\", \"tags\": [\"x_refsource_CONFIRM\"], \"url\": \"https://github.com/RustCrypto/AEADs/security/advisories/GHSA-r38m-44fw-h886\"}, {\"name\": \"https://github.com/RustCrypto/AEADs/commit/d1d749ba57e38e65b0e037cd744d0b17f7254037\", \"tags\": [\"x_refsource_MISC\"], \"url\": \"https://github.com/RustCrypto/AEADs/commit/d1d749ba57e38e65b0e037cd744d0b17f7254037\"}], \"affected\": [{\"vendor\": \"RustCrypto\", \"product\": \"AEADs\", \"versions\": [{\"version\": \"\u003c 0.4.3\", \"status\": \"affected\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-03-03T16:52:02.750Z\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"aes-gcm is a pure Rust implementation of the AES-GCM. In decrypt_in_place_detached, the decrypted ciphertext (which is the correct ciphertext) is exposed even if the tag is incorrect. This is because in decrypt_inplace in asconcore.rs, tag verification causes an error to be returned with the plaintext contents still in buffer. The vulnerability is fixed in 0.4.3.\"}], \"source\": {\"advisory\": \"GHSA-r38m-44fw-h886\", \"discovery\": \"UNKNOWN\"}}, \"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-27498\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-03-03T17:26:48.023206Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-03-03T17:32:20.576Z\"}}]}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-27498\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"state\": \"PUBLISHED\", \"assignerShortName\": \"GitHub_M\", \"dateReserved\": \"2025-02-26T18:11:52.304Z\", \"datePublished\": \"2025-03-03T16:52:02.750Z\", \"dateUpdated\": \"2025-03-03T17:32:24.640Z\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

GHSA-R38M-44FW-H886

Vulnerability from github – Published: 2025-03-03 20:22 – Updated: 2025-03-03 20:22

Summary

AEADs/ascon-aead: Plaintext exposed in decrypt_in_place_detached even on tag verification failure

Details

Summary

In decrypt_in_place_detached, the decrypted ciphertext (which is the correct ciphertext) is exposed even if the tag is incorrect.

Details

This is because in decrypt_inplace in asconcore.rs, tag verification causes an error to be returned with the plaintext contents still in buffer. The root cause of this vulnerability is similar to https://github.com/RustCrypto/AEADs/security/advisories/GHSA-423w-p2w9-r7vq

PoC

use ascon_aead::Tag;
use ascon_aead::{Ascon128, Key, Nonce};
use ascon_aead::aead::{AeadInPlace, KeyInit};

fn main() {

    let key = Key::<Ascon128>::from_slice(b"very secret key.");
    let cipher = Ascon128::new(key);

    let nonce = Nonce::<Ascon128>::from_slice(b"unique nonce 012"); // 128-bits; unique per message

    let mut buffer: Vec<u8> = Vec::new(); // Buffer needs 16-bytes overhead for authentication tag
    buffer.extend_from_slice(b"plaintext message");

    // Encrypt `buffer` in-place detached, replacing the plaintext contents with ciphertext
    cipher.encrypt_in_place_detached(nonce, b"", &mut buffer).expect("encryption failure!");

    // Decrypt `buffer` in-place with the wrong tag, ignoring the decryption error
    let _ = cipher.decrypt_in_place_detached(nonce, b"", &mut buffer, Tag::<Ascon128>::from_slice(b"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"));

    assert_eq!(&buffer, b"plaintext message");
}

Impact

If a program continues to use the result of decrypt_in_place_detached after a decryption failure, the result will be unauthenticated. This may permit some forms of chosen ciphertext attacks (CCAs).

Severity ?

5.7 (Medium)


                  
                    CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:A/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.4.2"
      },
      "package": {
        "ecosystem": "crates.io",
        "name": "ascon_aead"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.4.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-27498"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-347"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-03-03T20:22:19Z",
    "nvd_published_at": "2025-03-03T17:15:16Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nIn `decrypt_in_place_detached`, the decrypted ciphertext (which is the correct ciphertext) is exposed even if the tag is incorrect.\n\n### Details\nThis is because in [decrypt_inplace](https://github.com/RustCrypto/AEADs/blob/8cda109f1128c4c7953a0bb0f53e1056d537e462/ascon-aead/src/asconcore.rs#L350-L364) in asconcore.rs, tag verification causes an error to be returned with the plaintext contents still in `buffer`. The root cause of this vulnerability is similar to https://github.com/RustCrypto/AEADs/security/advisories/GHSA-423w-p2w9-r7vq\n\n### PoC\n```rust\nuse ascon_aead::Tag;\nuse ascon_aead::{Ascon128, Key, Nonce};\nuse ascon_aead::aead::{AeadInPlace, KeyInit};\n\nfn main() {\n\n    let key = Key::\u003cAscon128\u003e::from_slice(b\"very secret key.\");\n    let cipher = Ascon128::new(key);\n\n    let nonce = Nonce::\u003cAscon128\u003e::from_slice(b\"unique nonce 012\"); // 128-bits; unique per message\n\n    let mut buffer: Vec\u003cu8\u003e = Vec::new(); // Buffer needs 16-bytes overhead for authentication tag\n    buffer.extend_from_slice(b\"plaintext message\");\n\n    // Encrypt `buffer` in-place detached, replacing the plaintext contents with ciphertext\n    cipher.encrypt_in_place_detached(nonce, b\"\", \u0026mut buffer).expect(\"encryption failure!\");\n    \n    // Decrypt `buffer` in-place with the wrong tag, ignoring the decryption error\n    let _ = cipher.decrypt_in_place_detached(nonce, b\"\", \u0026mut buffer, Tag::\u003cAscon128\u003e::from_slice(b\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"));\n\n    assert_eq!(\u0026buffer, b\"plaintext message\");\n}\n```\n### Impact\nIf a program continues to use the result of `decrypt_in_place_detached` after a decryption failure, the result will be unauthenticated. This may permit some forms of chosen ciphertext attacks (CCAs).",
  "id": "GHSA-r38m-44fw-h886",
  "modified": "2025-03-03T20:22:19Z",
  "published": "2025-03-03T20:22:19Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/RustCrypto/AEADs/security/advisories/GHSA-r38m-44fw-h886"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27498"
    },
    {
      "type": "WEB",
      "url": "https://github.com/RustCrypto/AEADs/commit/d1d749ba57e38e65b0e037cd744d0b17f7254037"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/RustCrypto/AEADs"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:A/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "AEADs/ascon-aead: Plaintext exposed in decrypt_in_place_detached even on tag verification failure"
}

FKIE_CVE-2025-27498

Vulnerability from fkie_nvd - Published: 2025-03-03 17:15 - Updated: 2025-03-03 17:15

Severity ?

5.7 (Medium) - CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:A/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/RustCrypto/AEADs/commit/d1d749ba57e38e65b0e037cd744d0b17f7254037
	security-advisories@github.com	https://github.com/RustCrypto/AEADs/security/advisories/GHSA-r38m-44fw-h886

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "aes-gcm is a pure Rust implementation of the AES-GCM. In decrypt_in_place_detached, the decrypted ciphertext (which is the correct ciphertext) is exposed even if the tag is incorrect. This is because in decrypt_inplace in asconcore.rs, tag verification causes an error to be returned with the plaintext contents still in buffer. The vulnerability is fixed in 0.4.3."
    },
    {
      "lang": "es",
      "value": "aes-gcm es una implementaci\u00f3n pura de Rust de AES-GCM. En decrypt_in_place_ Separate, el texto cifrado descifrado (que es el texto cifrado correcto) queda expuesto incluso si la etiqueta es incorrecta. Esto se debe a que en decrypt_inplace en asconcore.rs, la verificaci\u00f3n de la etiqueta hace que se devuelva un error con el contenido del texto sin formato a\u00fan en el b\u00fafer. La vulnerabilidad se corrigi\u00f3 en 0.4.3."
    }
  ],
  "id": "CVE-2025-27498",
  "lastModified": "2025-03-03T17:15:16.443",
  "metrics": {
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "HIGH",
          "attackRequirements": "NONE",
          "attackVector": "LOCAL",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 5.6,
          "baseSeverity": "MEDIUM",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "NONE",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "ACTIVE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:A/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "NONE",
          "vulnConfidentialityImpact": "LOW",
          "vulnIntegrityImpact": "HIGH",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-03-03T17:15:16.443",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/RustCrypto/AEADs/commit/d1d749ba57e38e65b0e037cd744d0b17f7254037"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/RustCrypto/AEADs/security/advisories/GHSA-r38m-44fw-h886"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-347"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2025-27498 (GCVE-0-2025-27498)

GHSA-R38M-44FW-H886

Summary

Details

PoC

Impact

FKIE_CVE-2025-27498

Tags

Sightings

Nomenclature