{"id":"RUSTSEC-2022-0093","summary":"Double Public Key Signing Function Oracle Attack on `ed25519-dalek`","details":"Versions of `ed25519-dalek` prior to v2.0 model private and public keys as\nseparate types which can be assembled into a `Keypair`, and also provide APIs\nfor serializing and deserializing 64-byte private/public keypairs.\n\nSuch APIs and serializations are inherently unsafe as the public key is one of\nthe inputs used in the deterministic computation of the `S` part of the signature,\nbut not in the `R` value. An adversary could somehow use the signing function as\nan oracle that allows arbitrary public keys as input can obtain two signatures\nfor the same message sharing the same `R` and only differ on the `S` part.\n\nUnfortunately, when this happens, one can easily extract the private key.\n\nRevised public APIs in v2.0 of `ed25519-dalek` do NOT allow a decoupled\nprivate/public keypair as signing input, except as part of specially labeled\n\"hazmat\" APIs which are clearly labeled as being dangerous if misused.","aliases":["CVE-2022-50237","GHSA-w5vr-6qhr-36cc"],"modified":"2025-10-28T06:02:18Z","published":"2022-06-11T12:00:00Z","database_specific":{"license":"CC0-1.0"},"references":[{"type":"PACKAGE","url":"https://crates.io/crates/ed25519-dalek"},{"type":"ADVISORY","url":"https://rustsec.org/advisories/RUSTSEC-2022-0093.html"},{"type":"WEB","url":"https://github.com/MystenLabs/ed25519-unsafe-libs"}],"affected":[{"package":{"name":"ed25519-dalek","ecosystem":"crates.io","purl":"pkg:cargo/ed25519-dalek"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.0.0-0"},{"fixed":"2.0.0"}]}],"ecosystem_specific":{"affected_functions":null,"affects":{"arch":[],"os":[],"functions":[]}},"database_specific":{"cvss":null,"categories":["crypto-failure"],"informational":null,"source":"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2022-0093.json"}}],"schema_version":"1.7.3"}