{"id":"HSEC-2024-0009","summary":"Public key confusion in third-party blocks","details":"# Public key confusion in third-party blocks\n\nThird-party blocks can be generated without transferring the whole token to the third-party authority. Instead, a `ThirdPartyBlock` request can be sent, providing only the necessary info to generate a third-party block and to sign it:\n\n- the public key of the previous block (used in the signature);\n- the public keys part of the token symbol table (for public key interning in datalog expressions).\n\nA third-party block request forged by a malicious user can trick the third-party authority into generating datalog trusting the wrong keypair.\n","aliases":["CVE-2024-41949","CVE-2024-42350","GHSA-47cq-pc2v-3rmp","GHSA-p9w4-585h-g3c7","GHSA-rgqv-mwc3-c78m"],"modified":"2025-11-14T18:15:43.110342Z","published":"2025-11-14T14:45:34Z","database_specific":{"osvs":"https://raw.githubusercontent.com/haskell/security-advisories/refs/heads/generated/osv-export","repository":"https://github.com/haskell/security-advisories","home":"https://github.com/haskell/security-advisories"},"references":[{"type":"ADVISORY","url":"https://github.com/biscuit-auth/biscuit-haskell/security/advisories/GHSA-47cq-pc2v-3rmp"},{"type":"FIX","url":"https://github.com/biscuit-auth/biscuit-haskell/pull/93"}],"affected":[{"package":{"name":"biscuit-haskell","ecosystem":"Hackage","purl":"pkg:hackage/biscuit-haskell"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0.3.0.0"},{"fixed":"0.4.0.0"}]}],"versions":["0.3.0.0","0.3.0.1"],"database_specific":{"source":"https://github.com/haskell/security-advisories/blob/generated/osv-export/2024/HSEC-2024-0009.json","human_link":"https://github.com/haskell/security-advisories/tree/main/advisories/published/2024/HSEC-2024-0009.md","osv":"https://raw.githubusercontent.com/haskell/security-advisories/refs/heads/generated/osv-export/2024/HSEC-2024-0009.json"},"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:L/A:N"}]}],"schema_version":"1.7.3"}