6.9

CVSS Score

4.0

Basic Information

CVE ID

CVE-2025-53359

GHSA ID

GHSA-3w94-vq2x-v5wr

EPSS Score

0.16242%

CWE

CWE-754

Published

7/2/2025

Updated

7/2/2025

KEV Status

Technology

Rust

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-53359

CVE-2025-53359: ethereum does not check transaction malleability for EIP-2930, EIP-1559 and EIP-7702 transactions

Impact

Prior to ethereum crate v0.18.0, signature malleability (according to EIP-2) was only checked for "legacy" transactions, but not for EIP-2930, EIP-1559 and EIP-7702 transactions.

This is a specification deviation and therefore a high severity advisory if the ethereum crate is used for Ethereum mainnet. Note that signature malleability itself is not a security issue, and therefore if the ethereum crate is used on a single-implementation blockchain, it's a low/informational severity advisory.

Patches

The issue is fixed in ethereum v0.18.0

Workarounds

You can also manually check transaction malleability outside of the crate. But it's recommended to simply upgrade the version.

References

See PR: https://github.com/rust-ethereum/ethereum/pull/67

(GitHub Advisory)

6.9

CVSS Score

4.0

Basic Information

CVE ID

CVE-2025-53359

GHSA ID

GHSA-3w94-vq2x-v5wr

EPSS Score

0.16242%

CWE

CWE-754

Published

7/2/2025

Updated

7/2/2025

KEV Status

Technology

Rust

Technical Details

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
ethereum	rust	< 0.18.0	0.18.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability lies in the fact that the ethereum crate did not check for signature malleability for EIP-2930, EIP-1559, and EIP-7702 transactions. This means that an attacker could potentially modify the signature of a transaction without invalidating it, which could lead to unexpected behavior in systems that rely on transaction hash uniqueness.

The patch addresses this by introducing a new TransactionSignature struct that validates the r and s components of a signature to ensure they are within the valid range as defined by EIP-2. This validation is performed in the TransactionSignature::new function.

The vulnerable functions are the decode implementations for EIP1559Transaction, EIP2930Transaction, and EIP7702Transaction, as well as the authorizing_address function for AuthorizationListItem in the EIP-7702 implementation. These functions were modified to use the new TransactionSignature struct and its validation logic, thus fixing the vulnerability. Any runtime profiler would show these functions being called when processing the affected transaction types.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t Prior to `*t**r*um` *r*t* v*.**.*, si*n*tur* m*ll***ility (***or*in* to *IP-*) w*s only ****k** *or "l****y" tr*ns**tions, *ut not *or *IP-****, *IP-**** *n* *IP-**** tr*ns**tions. T*is is * sp**i*i**tion **vi*tion *n* t**r**or* * *i** s

Reasoning

T** vuln*r**ility li*s in t** ***t t**t t** `*t**r*um` *r*t* *i* not ****k *or si*n*tur* m*ll***ility *or *IP-****, *IP-****, *n* *IP-**** tr*ns**tions. T*is m**ns t**t *n *tt**k*r *oul* pot*nti*lly mo*i*y t** si*n*tur* o* * tr*ns**tion wit*out inv*l

6.9

Basic Information

Concerned about an active attack path?

CVE-2025-53359: ethereum does not check transaction malleability for EIP-2930, EIP-1559 and EIP-7702 transactions

Impact

Patches

Workarounds

References

6.9

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI