Data Exposure Vulnerability in AES-GCM Library from RustCrypto
CVE-2025-27498
5.6MEDIUM
What is CVE-2025-27498?
The aes-gcm library by RustCrypto contains a vulnerability in its decryption process where decrypted content is exposed even when tag verification fails. Specifically, in the decrypt_in_place_detached method, the plaintext is retained in memory post-decryption regardless of the success of tag verification. This flaw creates a risk of unauthorized access to sensitive information. It is essential for users of affected versions to upgrade to version 0.4.3 or later to mitigate this risk.
Affected Version(s)
AEADs < 0.4.3
