Improper Signature Verification in Yubico YubiKey Products Affects Security
CVE-2025-29991

2.2LOW

Key Information:

Vendor: Yubico
Status: Yubikey
Vendor: CVE Published:; 3 April 2025

What is CVE-2025-29991?

Yubico's YubiKey versions 5.4.1 to 5.7.3 prior to 5.7.4 exhibit a vulnerability in the implementation of the FIDO CTAP PIN/UV Auth Protocol Two. This flaw causes the device to use the signature length from the earlier CTAP PIN/UV Auth Protocol One, even when the more secure Protocol Two is intended to be active. As a result, the verification of signatures is incomplete, potentially allowing for unauthorized access or security breaches.

Affected Version(s)

YubiKey 5.4.1 < 5.7.4

References

https://www.yubico.com/support/security-advisories/ysa-20...

CVSS V3.1

Score:

2.2

Severity:

LOW

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 3, 2025
Vulnerability Reserved
Mar 13, 2025