CVE-2025-52556

rfc3161-client is a Python library implementing the Time-Stamp Protocol (TSP) described in RFC 3161. Prior to version 1.0.3, there is a flaw in the timestamp response signature verification logic. In particular, chain verification is performed against the TSR's embedded certificates up to the trusted root(s), but fails to verify the TSR's own signature against the timestamping leaf certificates. Consequently, vulnerable versions perform insufficient signature validation to properly consider a TSR verified, as the attacker can introduce any TSR signature so long as the embedded leaf chains up to some root TSA. This issue has been patched in version 1.0.3. There is no workaround for this issue.

CVSS

No CVSS.

References

Link	Resource
https://github.com/trailofbits/rfc3161-client/commit/724a184f953e3f171f85cb223871172b41b0d0dc
https://github.com/trailofbits/rfc3161-client/security/advisories/GHSA-6qhv-4h7r-2g9m

Configurations

No configuration.

History

23 Jun 2025, 20:16

Type	Values Removed	Values Added
Summary		(es) rfc3161-client es una librería de Python que implementa el Protocolo de Marca de Tiempo (TSP) descrito en el RFC 3161. En versiones anteriores a la 1.0.3, existía una falla en la lógica de verificación de firma de la respuesta de marca de tiempo. En particular, la verificación en cadena se realiza con los certificados integrados del TSR hasta la raíz de confianza, pero no verifica la propia firma del TSR con los certificados hoja de marca de tiempo. Por consiguiente, las versiones vulnerables realizan una validación de firma insuficiente para considerar correctamente un TSR verificado, ya que el atacante puede introducir cualquier firma del TSR siempre que la hoja integrada se encadene hasta algún TSA raíz. Este problema se ha corregido en la versión 1.0.3. No existe una solución alternativa.

21 Jun 2025, 02:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-06-21 02:15

Updated : 2025-06-23 20:16

NVD link : CVE-2025-52556

Mitre link : CVE-2025-52556

CVE.ORG link : CVE-2025-52556

JSON object : View

Products Affected

No product.

CWE

CWE-347

Improper Verification of Cryptographic Signature

{"id": "CVE-2025-52556", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-06-21T02:15:19.947", "references": [{"url": "https://github.com/trailofbits/rfc3161-client/commit/724a184f953e3f171f85cb223871172b41b0d0dc", "source": "security-advisories@github.com"}, {"url": "https://github.com/trailofbits/rfc3161-client/security/advisories/GHSA-6qhv-4h7r-2g9m", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-347"}]}], "descriptions": [{"lang": "en", "value": "rfc3161-client is a Python library implementing the Time-Stamp Protocol (TSP) described in RFC 3161. Prior to version 1.0.3, there is a flaw in the timestamp response signature verification logic. In particular, chain verification is performed against the TSR's embedded certificates up to the trusted root(s), but fails to verify the TSR's own signature against the timestamping leaf certificates. Consequently, vulnerable versions perform insufficient signature validation to properly consider a TSR verified, as the attacker can introduce any TSR signature so long as the embedded leaf chains up to some root TSA. This issue has been patched in version 1.0.3. There is no workaround for this issue."}, {"lang": "es", "value": "rfc3161-client es una librer\u00eda de Python que implementa el Protocolo de Marca de Tiempo (TSP) descrito en el RFC 3161. En versiones anteriores a la 1.0.3, exist\u00eda una falla en la l\u00f3gica de verificaci\u00f3n de firma de la respuesta de marca de tiempo. En particular, la verificaci\u00f3n en cadena se realiza con los certificados integrados del TSR hasta la ra\u00edz de confianza, pero no verifica la propia firma del TSR con los certificados hoja de marca de tiempo. Por consiguiente, las versiones vulnerables realizan una validaci\u00f3n de firma insuficiente para considerar correctamente un TSR verificado, ya que el atacante puede introducir cualquier firma del TSR siempre que la hoja integrada se encadene hasta alg\u00fan TSA ra\u00edz. Este problema se ha corregido en la versi\u00f3n 1.0.3. No existe una soluci\u00f3n alternativa."}], "lastModified": "2025-06-23T20:16:21.633", "sourceIdentifier": "security-advisories@github.com"}