CVE-2025-64429 – DuckDB's block-based encryption implementation ... (How to Fix)

Q: What is the severity of CVE-2025-64429?

CVE-2025-64429 has a CVSS score of 6.5 (MEDIUM). DuckDB's block-based encryption implementation contains multiple cryptographic flaws that could allow attackers to bypass encryption, compromise keys, or downgrade security. Users of DuckDB 1.4.0 through 1.4.1 who enable database encryption are affected. The vulnerabilities stem from insecure random number generation, improper memory clearing, and missing integrity checks.

📋 TL;DR

DuckDB's block-based encryption implementation contains multiple cryptographic flaws that could allow attackers to bypass encryption, compromise keys, or downgrade security. Users of DuckDB 1.4.0 through 1.4.1 who enable database encryption are affected. The vulnerabilities stem from insecure random number generation, improper memory clearing, and missing integrity checks.

💻 Affected Systems

Products:

DuckDB

Versions: 1.4.0 through 1.4.1

Operating Systems: All platforms running DuckDB

Default Config Vulnerable: ✅ No

Notes: Only affects users who enable block-based encryption feature introduced in 1.4.0. Databases created without encryption are not vulnerable.

📦 What is this software?

Duckdb by Duckdb

View all CVEs affecting Duckdb →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database decryption and data exposure, integrity bypass allowing undetected data manipulation, and cryptographic key compromise leading to persistent access.

🟠

Likely Case

Partial data exposure through temporary file encryption bypass or integrity check circumvention, potentially allowing data tampering without detection.

🟢

If Mitigated

Limited impact if databases use strong external encryption or if DuckDB is deployed without encryption features enabled.

🌐 Internet-Facing: MEDIUM - Requires database file access or memory access; not directly exploitable over network without additional attack vectors.

🏢 Internal Only: MEDIUM - Attackers with local file system access or ability to read process memory could exploit these vulnerabilities.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires access to database files or process memory. Multiple attack vectors exist including header manipulation, memory analysis, and RNG state compromise.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.4.2

Vendor Advisory: https://github.com/duckdb/duckdb/security/advisories/GHSA-vmp8-hg63-v2hp

Restart Required: Yes

Instructions:

1. Download DuckDB 1.4.2 or later from official sources. 2. Replace existing DuckDB binaries. 3. Recreate encrypted databases with new version. 4. Verify encryption settings on existing databases.

🔧 Temporary Workarounds

Disable block-based encryption

all

Use DuckDB without the vulnerable encryption feature

Do not use 'PRAGMA encryption_key' or encryption-related commands
Create databases without encryption enabled

Use external encryption

all

Encrypt database files at filesystem level instead of using DuckDB's built-in encryption

Use LUKS, BitLocker, or similar filesystem encryption
Mount encrypted volumes before running DuckDB

🧯 If You Can't Patch

Disable all encryption features and rely on external storage encryption
Restrict file system access to DuckDB database files and monitor for unauthorized modifications

🔍 How to Verify

Check if Vulnerable:

Check DuckDB version and encryption status: Run DuckDB and execute '.version' command, then check if databases use encryption with 'PRAGMA encryption_status'

Check Version:

duckdb --version or from within DuckDB: .version

Verify Fix Applied:

Verify version is 1.4.2 or later and test encryption functionality with known test vectors

📡 Detection & Monitoring

Log Indicators:

Failed encryption operations
Unexpected database header modifications
Memory access patterns suggesting key extraction attempts

Network Indicators:

Not applicable - local file system vulnerability

SIEM Query:

Process execution of duckdb with version <1.4.2 AND file access patterns to *.db files with encryption headers

📊 Metadata

CVE ID: CVE-2025-64429

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CWE: CWE-327

EPSS Score: 0.01% exploit probability (1.2th percentile)

Published: November 12, 2025

Last Updated: November 25, 2025

🔗 References

https://duckdb.org/2025/09/16/announcing-duckdb-140.html Release Notes
https://github.com/duckdb/duckdb/blob/029a5b87ff5b1cd22f7f9717d48cd8830d00807c/src/common/random_engine.cpp#L20 Product
https://github.com/duckdb/duckdb/pull/17275 Patch
https://github.com/duckdb/duckdb/security/advisories/GHSA-vmp8-hg63-v2hp Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-64429, you might also want to check these: