5.6

CVSS Score

4.0

Basic Information

CVE ID

CVE-2025-27498

GHSA ID

GHSA-r38m-44fw-h886

EPSS Score

0.01484%

CWE

CWE-347

Published

3/3/2025

Updated

3/3/2025

KEV Status

Technology

Rust

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-27498

CVE-2025-27498: AEADs/ascon-aead: Plaintext exposed in decrypt_in_place_detached even on tag verification failure

Summary

In decrypt_in_place_detached, the decrypted ciphertext (which is the correct ciphertext) is exposed even if the tag is incorrect.

Details

This is because in decrypt_inplace in asconcore.rs, tag verification causes an error to be returned with the plaintext contents still in buffer. The root cause of this vulnerability is similar to https://github.com/RustCrypto/AEADs/security/advisories/GHSA-423w-p2w9-r7vq

PoC

use ascon_aead::Tag;
use ascon_aead::{Ascon128, Key, Nonce};
use ascon_aead::aead::{AeadInPlace, KeyInit};

fn main() {

    let key = Key::<Ascon128>::from_slice(b"very secret key.");
    let cipher = Ascon128::new(key);

    let nonce = Nonce::<Ascon128>::from_slice(b"unique nonce 012"); // 128-bits; unique per message

    let mut buffer: Vec<u8> = Vec::new(); // Buffer needs 16-bytes overhead for authentication tag
    buffer.extend_from_slice(b"plaintext message");

    // Encrypt `buffer` in-place detached, replacing the plaintext contents with ciphertext
    cipher.encrypt_in_place_detached(nonce, b"", &mut buffer).expect("encryption failure!");
    
    // Decrypt `buffer` in-place with the wrong tag, ignoring the decryption error
    let _ = cipher.decrypt_in_place_detached(nonce, b"", &mut buffer, Tag::<Ascon128>::from_slice(b"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"));

    assert_eq!(&buffer, b"plaintext message");
}

Impact

If a program continues to use the result of decrypt_in_place_detached after a decryption failure, the result will be unauthenticated. This may permit some forms of chosen ciphertext attacks (CCAs).

(GitHub Advisory)

5.6

CVSS Score

4.0

Basic Information

CVE ID

CVE-2025-27498

GHSA ID

GHSA-r38m-44fw-h886

EPSS Score

0.01484%

CWE

CWE-347

Published

3/3/2025

Updated

3/3/2025

KEV Status

Technology

Rust

Technical Details

CVSS Vector

CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:A/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
ascon_aead	rust	<= 0.4.2	0.4.3

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the decrypt_in_place_detached implementation in asconcore.rs where tag verification failure didn't clear the decrypted buffer. The proof-of-concept demonstrates plaintext retention after failed decryption, and the patch adds ciphertext.fill(0) in the error path. The function's control flow matches the described vulnerability pattern of returning unauthenticated plaintext, making AsconCore::decrypt_in_place_detached the clear vulnerable entry point.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Summ*ry In `***rypt_in_pl***_**t*****`, t** ***rypt** *ip**rt*xt (w*i** is t** *orr**t *ip**rt*xt) is *xpos** *v*n i* t** t** is in*orr**t. ### **t*ils T*is is ****us* in [***rypt_inpl***](*ttps://*it*u*.*om/Rust*rypto/****s/*lo*/***************

Reasoning

T** vuln*r**ility st*ms *rom t** ***rypt_in_pl***_**t***** impl*m*nt*tion in *s*on*or*.rs w**r* t** v*ri*i**tion **ilur* *i*n't *l**r t** ***rypt** *u***r. T** proo*-o*-*on**pt **monstr*t*s pl*int*xt r*t*ntion **t*r **il** ***ryption, *n* t** p*t** *

5.6

Basic Information

Concerned about an active attack path?

CVE-2025-27498: AEADs/ascon-aead: Plaintext exposed in decrypt_in_place_detached even on tag verification failure

Summary

Details

PoC

Impact

5.6

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI