Insecure Random Number Generation and Encryption Downgrade in DuckDB SQL Database
CVE-2025-64429

6.9MEDIUM

Key Information:

Vendor

Duckdb

Status
Duckdb
Vendor
CVE Published:
12 November 2025

What is CVE-2025-64429?

DuckDB, a SQL database management system, has notable vulnerabilities related to its implementation of block-based encryption. The database can unintentionally revert to a less secure random number generator (pcg32) for generating cryptographic keys and IVs, which poses a risk of key exposure. Additionally, improper handling of memory clearance may result in sensitive data being retained in heap memory. Attackers could exploit this by altering database headers to switch encryption modes from GCM to CTR, effectively bypassing integrity checks. Moreover, there is a potential oversight in validating the return values of the OpenSSL rand_bytes() calls. Compromised public IVs could enable attackers to derive cryptographic keys used for encrypting temporary files and manipulate the OpenSSL random number generator without detection, posing significant security risks to users.

Affected Version(s)

duckdb >= 1.4.0, < 1.4.2

References

https://github.com/duckdb/duckdb/security/advisories/GHSA...
x_refsource_CONFIRM
https://github.com/duckdb/duckdb/pull/17275
x_refsource_MISC
https://duckdb.org/2025/09/16/announcing-duckdb-140.html
x_refsource_MISC

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2025-64429 : Insecure Random Number Generation and Encryption Downgrade in DuckDB SQL Database