9.3

CVSS Score

4.0

Basic Information

CVE ID

CVE-2025-52556

GHSA ID

GHSA-6qhv-4h7r-2g9m

EPSS Score

0.01495%

CWE

CWE-347

Published

6/20/2025

Updated

6/27/2025

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-52556

CVE-2025-52556: rfc3161-client has insufficient verification for timestamp response signatures

Impact

rfc3161-client 1.0.2 and earlier contain a flaw in their timestamp response signature verification logic. In particular, it performs chain verification against the TSR's embedded certificates up to the trusted root(s), but fails to verify the TSR's own signature against the timestamping leaf certificates. Consequently, vulnerable versions perform insufficient signature validation to properly consider a TSR verified, as the attacker can introduce any TSR signature so long as the embedded leaf chains up to some root TSA.

Patches

Users should immediately upgrade to rfc3161-client 1.0.3 or later.

Workarounds

There is no workaround possible. Users should immediately upgrade to a fixed version.

(GitHub Advisory)

9.3

CVSS Score

4.0

Basic Information

CVE ID

CVE-2025-52556

GHSA ID

GHSA-6qhv-4h7r-2g9m

EPSS Score

0.01495%

CWE

CWE-347

Published

6/20/2025

Updated

6/27/2025

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
rfc3161-client	pip	<= 1.0.2	1.0.3

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability lies in the pkcs7_verify function within rust/src/lib.rs. The function was responsible for verifying the cryptographic signature of a timestamp response. The analysis of the patch 724a184f953e3f171f85cb223871172b41b0d0dc reveals that the original implementation performed an incomplete verification. It correctly checked that the certificate in the timestamp response chained up to a trusted root certificate, but it critically failed to verify that the signature on the timestamp response was actually created by the private key corresponding to the certificate. The patch replaces this flawed, manual verification logic with a call to p7.verify(), which is the correct and complete way to verify a PKCS#7 signature using the underlying OpenSSL library. This ensures that both the certificate chain and the signature itself are validated. The new test case test_verify_fails_invalid_tsr_signature added in the patch confirms this by attempting to verify a response with a known invalid signature, which now correctly fails.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t `r******-*li*nt` *.*.* *n* **rli*r *ont*in * *l*w in t**ir tim*st*mp r*spons* si*n*tur* v*ri*i**tion lo*i*. In p*rti*ul*r, it p*r*orms ***in v*ri*i**tion ***inst t** TSR's *m****** **rti*i**t*s up to t** trust** root(s), *ut **ils to v*ri

Reasoning

T** vuln*r**ility li*s in t** `pk*s*_v*ri*y` *un*tion wit*in `rust/sr*/li*.rs`. T** *un*tion w*s r*sponsi*l* *or v*ri*yin* t** *rypto*r*p*i* si*n*tur* o* * tim*st*mp r*spons*. T** *n*lysis o* t** p*t** `****************************************` r*v**

9.3

Basic Information

Concerned about an active attack path?

CVE-2025-52556: rfc3161-client has insufficient verification for timestamp response signatures

Impact

Patches

Workarounds

9.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI