Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

nvd логотип

CVE-2025-13353

Опубликовано: 02 дек. 2025
Источник: nvd
CVSS3: 5.5
EPSS Низкий

Описание

In gokey versions <0.2.0, a flaw in the seed decryption logic resulted in passwords incorrectly being derived solely from the initial vector and the AES-GCM authentication tag of the key seed.

This issue has been fixed in gokey version 0.2.0. This is a breaking change. The fix has invalidated any passwords/secrets that were derived from the seed file (using the -s option). Even if the input seed file stays the same, version 0.2.0 gokey will generate different secrets.

Impact This vulnerability impacts generated keys/secrets using a seed file as an entropy input (using the -s option). Keys/secrets generated just from the master password (without the -s option) are not impacted. The confidentiality of the seed itself is also not impacted (it is not required to regenerate the seed itself). Specific impact includes:

  • keys/secrets generated from a seed file may have lower entropy: it was expected that the whole seed would be used to generate keys (240 bytes of entropy inp

Ссылки

Уязвимые конфигурации

Конфигурация 1
cpe:2.3:a:cloudflare:gokey:*:*:*:*:*:go:*:*
Версия до 0.2.0 (исключая)

EPSS

Процентиль: 6%
0.00026
Низкий

5.5 Medium

CVSS3

Дефекты

CWE-330

Связанные уязвимости

ubuntu логотип

CVE-2025-13353

CVSS3: 5.5
ubuntu
2 месяца назад

In gokey versions <0.2.0, a flaw in the seed decryption logic resulted in passwords incorrectly being derived solely from the initial vector and the AES-GCM authentication tag of the key seed. This issue has been fixed in gokey version 0.2.0. This is a breaking change. The fix has invalidated any passwords/secrets that were derived from the seed file (using the -s option). Even if the input seed file stays the same, version 0.2.0 gokey will generate different secrets. Impact This vulnerability impacts generated keys/secrets using a seed file as an entropy input (using the -s option). Keys/secrets generated just from the master password (without the -s option) are not impacted. The confidentiality of the seed itself is also not impacted (it is not required to regenerate the seed itself). Specific impact includes: * keys/secrets generated from a seed file may have lower entropy: it was expected that the whole seed would be used to generate keys (240 bytes of entropy input), where in ...

debian логотип

CVE-2025-13353

CVSS3: 5.5
debian
2 месяца назад

In gokey versions <0.2.0, a flaw in the seed decryption logic resulte ...

github логотип

GHSA-69jw-4jj8-fcxm

github
2 месяца назад

gokey allows secret recovery from a seed file without the master password

EPSS

Процентиль: 6%
0.00026
Низкий

5.5 Medium

CVSS3

Дефекты

CWE-330