Vulnerability in FROST Implementation by Zcash Foundation Impacts Threshold Signatures
CVE-2025-58359

6MEDIUM

Key Information:

Vendor

Zcashfoundation

Status
Frost
Vendor
CVE Published:
4 September 2025

What is CVE-2025-58359?

The ZF FROST implementation, versions 2.0.0 and 2.1.0, contains a vulnerability where refreshing shares with a decreased number of minimum signers undermines the security of group signatures. Users were not clearly informed about the implications of using a lower threshold during share refresh, which could lead to security risks. Although the original signing threshold could still be used after the refresh, improper adjustments might leave participants' shares vulnerable. This issue is mitigated in version 2.2.0.

Affected Version(s)

frost >= 2.0.0, < 2.2.0

References

https://github.com/ZcashFoundation/frost/security/advisor...
x_refsource_CONFIRM
https://github.com/ZcashFoundation/frost/commit/379ef689c...
x_refsource_MISC
https://github.com/ZcashFoundation/frost/releases/tag/fro...
x_refsource_MISC

CVSS V4

Score:
6
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.