GHSA-qr9h-x63w-vqfm: OpenMLS improper persistence of the secret tree during message processing

September 26, 2025

A bug in the OpenMLS library prevented private key material from being updated in storage during message processing. The key material in question are the keys stored in the MLS secret tree, which are used for decryption of private MLS messages. The effects of the bug are limited in scope, but can affect forward secrecy and limit how many messages can be decrypted.

References

github.com/advisories/GHSA-qr9h-x63w-vqfm
github.com/openmls/openmls
github.com/openmls/openmls/commit/c73a074c804b30bec8284ac1e69a71b01db982ea
github.com/openmls/openmls/security/advisories/GHSA-qr9h-x63w-vqfm

Code Behaviors & Features

Detect and mitigate GHSA-qr9h-x63w-vqfm with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →