CVE-2025-67897
📋 TL;DR
This vulnerability in Sequoia PGP library versions before 2.1.0 allows remote attackers to crash applications by sending specially crafted encrypted messages. The aes_key_unwrap function panics when processing ciphertext that is too short, leading to denial of service. Any application using vulnerable Sequoia versions for PGP decryption is affected.
💻 Affected Systems
- Sequoia PGP library
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete application crash leading to denial of service, potentially disrupting critical services that rely on PGP decryption.
Likely Case
Application crashes when processing malicious PGP messages, causing service disruption until restart.
If Mitigated
Minimal impact with proper input validation and error handling in place.
🎯 Exploit Status
Attack requires sending crafted encrypted messages to vulnerable applications.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.1.0
Vendor Advisory: https://gitlab.com/sequoia-pgp/sequoia/-/blob/b59886e5e7bdf7169ed330f309a6633d131776e5/openpgp/NEWS#L7-L26
Restart Required: Yes
Instructions:
1. Update Sequoia to version 2.1.0 or later. 2. Rebuild applications using Sequoia. 3. Restart affected services.
🔧 Temporary Workarounds
Input validation wrapper
allAdd custom validation to check ciphertext length before passing to aes_key_unwrap
Implement pre-processing to validate PKESK/SKESK packet sizes
🧯 If You Can't Patch
- Implement network filtering to block suspicious PGP messages
- Monitor application logs for panic/crash events and implement automatic restart
🔍 How to Verify
Check if Vulnerable:
Check Sequoia version in dependencies or run: cargo tree | grep sequoiaCheck Version:
cargo tree | grep sequoia-openpgpVerify Fix Applied:
Verify Sequoia version is 2.1.0 or later: cargo tree | grep sequoia-openpgp📡 Detection & Monitoring
Log Indicators:
- Application panic logs mentioning aes_key_unwrap
- Process crashes during PGP decryption
Network Indicators:
- Incoming PGP messages with unusually small ciphertext
SIEM Query:
process:panic AND message:aes_key_unwrap