GHSA-j57r-4qw6-58r3: rusty_paseto vulnerable to private key extraction due to ed25519-dalek dependency
The vulnerability, known as RUSTSEC-2022-0093, impacts the ed25519-dalek crate, which is a dependency of the rusty-paseto crate. This issue arises from a “Double Public Key Signing Function Oracle Attack” affecting versions of ed25519-dalek prior to v2.0. These versions expose an unsafe API for serializing and deserializing 64-byte keypairs that include both private and public keys, creating potential for certain attacks. d25519-dalek users utilizing these serialization and deserialization functions directly could potentially be impacted.
References
- github.com/advisories/GHSA-j57r-4qw6-58r3
- github.com/rrrodzilla/rusty_paseto
- github.com/rrrodzilla/rusty_paseto/commit/42718c1b757c1dfabb80621f2f48b8268f7fa24e
- github.com/rrrodzilla/rusty_paseto/releases/tag/v0.6.0
- github.com/rrrodzilla/rusty_paseto/security/advisories/GHSA-j57r-4qw6-58r3
- rustsec.org/advisories/RUSTSEC-2022-0093.html
Detect and mitigate GHSA-j57r-4qw6-58r3 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →