CVE-2024-53857
published 2024-12-05CVE-2024-53857: rPGP is a pure Rust implementation of OpenPGP. Prior to 0.14.1, rPGP allows attackers to trigger resource exhaustion vulnerabilities in rpgp by providing…
PriorityP337high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.45%
35.7th percentile
rPGP is a pure Rust implementation of OpenPGP. Prior to 0.14.1, rPGP allows attackers to trigger resource exhaustion vulnerabilities in rpgp by providing crafted messages. This affects general message parsing and decryption with symmetric keys.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | rust-pgp | < rust-pgp 0.14.2-1 (forky) | rust-pgp 0.14.2-1 (forky) |
| pgp | pgp | >= 0 < 0.14.2 | 0.14.2 |
| rpgp | rpgp | < 0.14.1 | 0.14.1 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
osv7.5HIGH
vendor_debian7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
rPGP Potential Resource Exhaustion when handling Untrusted Messages
ghsa·2024-12-05
CVE-2024-53857 [HIGH] CWE-770 rPGP Potential Resource Exhaustion when handling Untrusted Messages
rPGP Potential Resource Exhaustion when handling Untrusted Messages
During a security audit, [Radically Open Security](https://www.radicallyopensecurity.com/) discovered two vulnerabilities which allow attackers to trigger resource exhaustion vulnerabilities in `rpgp` by providing crafted messages. This affects general message parsing and decryption with symmetric keys.
### Impact
Affected `rpgp` versions do not correctly set upper limits on the total reserved amount of memory when parsing long sequences of partial OpenPGP packets, which can grow to to several GiB in size. Additionally, up to 4GiB of memory is reserved for OpenPGP packets of fixed size with large length fields, even if less data is received.
Depending on existing message size restrictions and available system resources,
OSV
CVE-2024-53857: rPGP is a pure Rust implementation of OpenPGP
osv·2024-12-05·CVSS 7.5
CVE-2024-53857 [HIGH] CVE-2024-53857: rPGP is a pure Rust implementation of OpenPGP
rPGP is a pure Rust implementation of OpenPGP. Prior to 0.14.1, rPGP allows attackers to trigger resource exhaustion vulnerabilities in rpgp by providing crafted messages. This affects general message parsing and decryption with symmetric keys.
OSV
rPGP Potential Resource Exhaustion when handling Untrusted Messages
osv·2024-12-05
CVE-2024-53857 [HIGH] rPGP Potential Resource Exhaustion when handling Untrusted Messages
rPGP Potential Resource Exhaustion when handling Untrusted Messages
During a security audit, [Radically Open Security](https://www.radicallyopensecurity.com/) discovered two vulnerabilities which allow attackers to trigger resource exhaustion vulnerabilities in `rpgp` by providing crafted messages. This affects general message parsing and decryption with symmetric keys.
### Impact
Affected `rpgp` versions do not correctly set upper limits on the total reserved amount of memory when parsing long sequences of partial OpenPGP packets, which can grow to to several GiB in size. Additionally, up to 4GiB of memory is reserved for OpenPGP packets of fixed size with large length fields, even if less data is received.
Depending on existing message size restrictions and available system resources,
Debian
CVE-2024-53857: rust-pgp - rPGP is a pure Rust implementation of OpenPGP. Prior to 0.14.1, rPGP allows atta...
vendor_debian·2024·CVSS 7.5
CVE-2024-53857 [HIGH] CVE-2024-53857: rust-pgp - rPGP is a pure Rust implementation of OpenPGP. Prior to 0.14.1, rPGP allows atta...
rPGP is a pure Rust implementation of OpenPGP. Prior to 0.14.1, rPGP allows attackers to trigger resource exhaustion vulnerabilities in rpgp by providing crafted messages. This affects general message parsing and decryption with symmetric keys.
Scope: local
forky: resolved (fixed in 0.14.2-1)
sid: resolved (fixed in 0.14.2-1)
trixie: resolved (fixed in 0.14.2-1)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2024-12-05
Published