VDB
CVE-2025-67897
CVE-2025-67897
PUBLISHED
CVSS 5.300000190734863 MEDIUM
In Sequoia before 2.1.0, aes_key_unwrap panics if passed a ciphertext that is too short. A remote attacker can take advantage of this issue to crash an application by sending a victim an encrypted message with a crafted PKESK or SKESK packet.
EPSS 0.17% · 37.5th percentile
Risk Scores
CVSS v3.1
5.300000190734863
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H
EPSS Score
0.17%
37.5th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| sequoia-pgp | sequoia | 0 |
| crates.io | sequoia-openpgp | 0 |
Timeline
- Nov 7, 2025 CVE Published
- Dec 14, 2025 EPSS Score
- Dec 14, 2025 CVE ID Reserved
- Dec 15, 2025 CVE Updated
- Dec 18, 2025 EPSS Score
- Dec 22, 2025 EPSS Score
- Dec 26, 2025 EPSS Score
- Dec 30, 2025 EPSS Score
- Jan 3, 2026 EPSS Score
- Jan 7, 2026 EPSS Score
- Jan 11, 2026 EPSS Score
- Jan 15, 2026 EPSS Score
References
- https://gitlab.com/sequoia-pgp/sequoia/-/commit/b59886e5e7bdf7169ed330f309a6633d131776e5 url
- https://bugs.debian.org/1122582 url
- https://gitlab.com/sequoia-pgp/sequoia/-/blob/b59886e5e7bdf7169ed330f309a6633d131776e5/openpgp/NEWS#L7-L26 url
- https://nvd.nist.gov/vuln/detail/CVE-2025-67897 advisory
- https://gitlab.com/sequoia-pgp/sequoia package
- https://rustsec.org/advisories/RUSTSEC-2025-0136.html url