CVE-2022-31053
published 2022-06-13CVE-2022-31053: Biscuit is an authentication and authorization token for microservices architectures. The Biscuit specification version 1 contains a vulnerable algorithm that…
PriorityP260critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.96%
57.1th percentile
Biscuit is an authentication and authorization token for microservices architectures. The Biscuit specification version 1 contains a vulnerable algorithm that allows malicious actors to forge valid Γ-signatures. Such an attack would allow an attacker to create a token with any access level. The version 2 of the specification mandates a different algorithm than gamma signatures and as such is not affected by this vulnerability. The Biscuit implementations in Rust, Haskell, Go, Java and Javascript all have published versions following the v2 specification. There are no known workarounds for this issue.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| biscuit-auth | biscuit | — | — |
| biscuit-auth | biscuit | — | — |
| biscuit-auth | biscuit | — | — |
| biscuit-auth | biscuit | — | — |
| biscuitsec | biscuit-auth | >= 1.0.0 < 2.0.0 | 2.0.0 |
| biscuitsec | biscuit-auth | 1.0.0 – 1.1.0 | — |
| biscuitsec | biscuit-go | < 2.0.0 | 2.0.0 |
| biscuitsec | biscuit-haskell | — | — |
| biscuitsec | biscuit-haskell | >= 0.1.0.0 < 0.2.0.0 | 0.2.0.0 |
| clever-cloud | biscuit-java | < 2.0.0 | 2.0.0 |
| github.com | biscuit-auth_biscuit-go | >= 0 < 2.0.0 | 2.0.0 |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Improper Verification of Cryptographic Signature
osv·2025-11-14
CVE-2022-31053 Improper Verification of Cryptographic Signature
Improper Verification of Cryptographic Signature
# Improper Verification of Cryptographic Signature
The Biscuit specification version 1 contains a vulnerable algorithm that allows
malicious actors to forge valid Γ-signatures. Such an attack would allow an
attacker to create a token with any access level. The version 2 of the
specification mandates a different algorithm than gamma signatures and as such
is not affected by this vulnerability.
OSV
Signature forgery in github.com/biscuit-auth/biscuit-go
osv·2022-08-15
CVE-2022-31053 Signature forgery in github.com/biscuit-auth/biscuit-go
Signature forgery in github.com/biscuit-auth/biscuit-go
An attacker can forge Biscuit v1 tokens with any access level.
There is no known workaround for Biscuit v1. The Biscuit v2 specification avoids this vulnerability.
OSV
Signature forgery in Biscuit
osv·2022-06-17
CVE-2022-31053 [CRITICAL] Signature forgery in Biscuit
Signature forgery in Biscuit
### Impact
The paper [Cryptanalysis of Aggregate Γ-Signature and Practical Countermeasures in Application to Bitcoin](https://eprint.iacr.org/2020/1484) defines a way to forge valid Γ-signatures, an algorithm that is used in the Biscuit specification version 1.
It would allow an attacker to create a token with any access level.
As Biscuit v1 was still an early version and not broadly deployed, we were able to contact all known users of Biscuit v1 and help them migrate to Biscuit v2.
We are not aware of any active exploitation of this vulnerability.
### Patches
The version 2 of the specification mandates a different algorithm than gamma signatures and as such is not affected by this vulnerability. The Biscuit implementations in Rust, Haskell, Go, Java and J
GHSA
Signature forgery in Biscuit
ghsa·2022-06-17
CVE-2022-31053 [CRITICAL] CWE-347 Signature forgery in Biscuit
Signature forgery in Biscuit
### Impact
The paper [Cryptanalysis of Aggregate Γ-Signature and Practical Countermeasures in Application to Bitcoin](https://eprint.iacr.org/2020/1484) defines a way to forge valid Γ-signatures, an algorithm that is used in the Biscuit specification version 1.
It would allow an attacker to create a token with any access level.
As Biscuit v1 was still an early version and not broadly deployed, we were able to contact all known users of Biscuit v1 and help them migrate to Biscuit v2.
We are not aware of any active exploitation of this vulnerability.
### Patches
The version 2 of the specification mandates a different algorithm than gamma signatures and as such is not affected by this vulnerability. The Biscuit implementations in Rust, Haskell, Go, Java and J
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2022-06-13
Published