CVE-2024-53857: rPGP Potential Resource Exhaustion when handling Untrusted Messages

December 5, 2024

During a security audit, Radically Open Security discovered two vulnerabilities which allow attackers to trigger resource exhaustion vulnerabilities in rpgp by providing crafted messages. This affects general message parsing and decryption with symmetric keys.

References

github.com/advisories/GHSA-4grw-m28r-q285
github.com/rpgp/rpgp
github.com/rpgp/rpgp/security/advisories/GHSA-4grw-m28r-q285
nvd.nist.gov/vuln/detail/CVE-2024-53857

Detect and mitigate CVE-2024-53857 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →