Reported

November 24, 2025

Issued

November 25, 2025 (last modified: November 26, 2025)

Package

cggmp24 (crates.io)

Type

Vulnerability

Categories

• crypto-failure

Keywords

#zk-proof

Aliases

• CVE-2025-66016
• GHSA-m95p-425x-x889

References

• https://www.dfns.co/article/cggmp21-vulnerabilities-patched-and-explained

Patched

• >=0.7.0-alpha.2

Description

Vulnerability concerns a missing check in the ZK proof that enables an attack in which single malicious signer can reconstruct full private key.

Patches

• cggmp21 v0.6.3 is a patch release that contains a fix that introduces this specific missing check.
• However, we recommend upgrading to cggmp24 v0.7.0-alpha.2 in which we've introduced many other security checks as a precaution. Follow the migration guidelines to upgrade.

References

Read our blog post to learn more.

Advisory available under CC0-1.0 license.