Data Exposure Vulnerability in AES-GCM Library from RustCrypto
CVE-2025-27498

5.6MEDIUM

Key Information:

Vendor

Rustcrypto

Status
Vendor
CVE Published:
3 March 2025

What is CVE-2025-27498?

The aes-gcm library by RustCrypto contains a vulnerability in its decryption process where decrypted content is exposed even when tag verification fails. Specifically, in the decrypt_in_place_detached method, the plaintext is retained in memory post-decryption regardless of the success of tag verification. This flaw creates a risk of unauthorized access to sensitive information. It is essential for users of affected versions to upgrade to version 0.4.3 or later to mitigate this risk.

Affected Version(s)

AEADs < 0.4.3

References

CVSS V4

Score:
5.6
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
High
Availability:
None
Attack Vector:
Local
Attack Complexity:
High
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.