CVE-2022-31053 — Improper Verification of Cryptographic Signature in Biscuit-auth Biscuit-go

CWE-347 — Improper Verification of Cryptographic Signature5 documents3 sources

Severity

9.8CRITICALNVD

EPSS

0.2%

top 54.21%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Biscuit-auth Biscuit-go Biscuitsec Biscuit-haskell Biscuitsec Biscuit-go +3 more

Timeline

PublishedJun 13

Latest updateNov 14

Description

Biscuit is an authentication and authorization token for microservices architectures. The Biscuit specification version 1 contains a vulnerable algorithm that allows malicious actors to forge valid Γ-signatures. Such an attack would allow an attacker to create a token with any access level. The version 2 of the specification mandates a different algorithm than gamma signatures and as such is not affected by this vulnerability. The Biscuit implementations in Rust, Haskell, Go, Java and Javascript…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages8 packages

▶NVDclever-cloud/biscuit-java< 2.0.0

▶Hackagebiscuitsec/biscuit-haskell0.1.0.0 — 0.2.0.0

▶NVDbiscuitsec/biscuit-haskell0.1.1.0

▶NVDbiscuitsec/biscuit-go< 2.0.0

▶crates.iobiscuitsec/biscuit-auth1.0.0 — 2.0.0

🔴Vulnerability Details

OSV

Improper Verification of Cryptographic Signature↗2025-11-14

▶

OSV

Signature forgery in github.com/biscuit-auth/biscuit-go↗2022-08-15

▶

OSV

Signature forgery in Biscuit↗2022-06-17

▶

GHSA

Signature forgery in Biscuit↗2022-06-17

▶