High severityNVD Advisory· Published Dec 2, 2025· Updated Dec 2, 2025

gokey allows secret recovery from a seed file without the master password

CVE-2025-13353

Description

In gokey versions <0.2.0, a flaw in the seed decryption logic resulted in passwords incorrectly being derived solely from the initial vector and the AES-GCM authentication tag of the key seed.

This issue has been fixed in gokey version 0.2.0. This is a breaking change. The fix has invalidated any passwords/secrets that were derived from the seed file (using the -s option). Even if the input seed file stays the same, version 0.2.0 gokey will generate different secrets.

Impact This vulnerability impacts generated keys/secrets using a seed file as an entropy input (using the -s option). Keys/secrets generated just from the master password (without the -s option) are not impacted. The confidentiality of the seed itself is also not impacted (it is not required to regenerate the seed itself). Specific impact includes:

* keys/secrets generated from a seed file may have lower entropy: it was expected that the whole seed would be used to generate keys (240 bytes of entropy input), where in vulnerable versions only 28 bytes was used

* a malicious entity could have recovered all passwords, generated from a particular seed, having only the seed file in possession without the knowledge of the seed master password

Patches The code logic bug has been fixed in gokey version 0.2.0 and above. Due to the deterministic nature of gokey, fixed versions will produce different passwords/secrets using seed files, as all seed entropy will be used now.

System secret rotation guidance It is advised for users to regenerate passwords/secrets using the patched version of gokey (0.2.0 and above), and provision/rotate these secrets into respective systems in place of the old secret. A specific rotation procedure is system-dependent, but most common patterns are described below.

Systems that do not require the old password/secret for rotation Such systems usually have a "Forgot password" facility or a similar facility allowing users to rotate their password/secrets by sending a unique "magic" link to the user's email or phone. In such cases users are advised to use this facility and input the newly generated password secret, when prompted by the system.

Systems that require the old password/secret for rotation Such systems usually have a modal password rotation window usually in the user settings section requiring the user to input the old and the new password sometimes with a confirmation. To generate/recover the old password in such cases users are advised to:

temporarily download gokey version 0.1.3 https://github.com/cloudflare/gokey/releases/tag/v0.1.3 for their respective operating system to recover the old password

use gokey version 0.2.0 or above to generate the new password

populate the system provided password rotation form

Systems that allow multiple credentials for the same account to be provisioned Such systems usually require a secret or a cryptographic key as a credential for access, but allow several credentials at the same time. One example is SSH: a particular user may have several authorized public keys configured on the SSH server for access. For such systems users are advised to:

generate a new secret/key/credential using gokey version 0.2.0 or above

provision the new secret/key/credential in addition to the existing credential on the system

verify that the access or required system operation is still possible with the new secret/key/credential

revoke authorization for the existing/old credential from the system

Credit This vulnerability was found by Théo Cusnir ( @mister_mime https://hackerone.com/mister_mime ) and responsibly disclosed through Cloudflare's bug bounty program.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

In gokey versions before ey versions before 0.2.0, a seed decryption bug caused passwords to be derived from only 28 bytes of entropy instead of 240, allowing recovery without the master password.

Vulnerability

Overview

In gokey versions prior to 0.2.0, a flaw in the seed decryption logic caused passwords to be incorrectly derived solely from the initial vector (12 bytes) and the AES-GCM authentication tag (16 bytes) of the key seed, rather than from the full seed content [1][3]. The root cause was a programming error in the unwrapSeed function, where the gcm.Open call was passed a slice starting at offset 12 but with a length equal to the entire remaining seed, instead of an empty slice [4]. This effectively ignored the encrypted seed data beyond the nonce and ciphertext, using only the nonce and tag as entropy.

Exploitation and

Attack Surface

An attacker who obtains a seed file (used with the -s option) can recover all passwords generated from that seed without knowledge of the master password [1][3]. The attack requires only the seed file itself; no authentication or network access is needed beyond possession of the file. The vulnerability does not affect passwords generated solely from the master password (without -s) [1].

Impact

The effective entropy of generated secrets dropped from the intended 240 bytes to only 28 bytes, significantly reducing the security margin [1][3]. More critically, a malicious entity with the seed file can derive all associated passwords offline, completely bypassing the master password protection [1][3]. The confidentiality of the seed file itself is not compromised, but its possession alone is sufficient for full secret recovery.

Mitigation

The issue is fixed in gokey version 0.2.0 [1][2][3]. The fix is a breaking change: all passwords/secrets derived from seed files with the -s option are invalidated, and even with the same seed file, version 0.2.0 will generate different secrets [1][3]. Users must regenerate secrets using the patched version and rotate them in their systems [1][3].

References

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
github.com/cloudflare/gokeyGo	< 0.2.0	0.2.0

Affected products

Cloudflare/gokeyllm-create
Range: <0.2.0
Cloudflare/gokeyv5
Range: 0.1.0

Patches

f261819e99ea

Fix a logic bug for the encrypted seed unwrap

https://github.com/cloudflare/gokeyIgnat KorchaginNov 18, 2025via ghsa

commit

1 file changed · +1 −1

csprng.go+1 −1 modified

@@ -101,7 +101,7 @@ func unwrapSeed(password string, seed []byte) ([]byte, error) {
 	}
 
 	pt := make([]byte, len(seed))
-	_, err = gcm.Open(pt[12:], seed[:12], seed[12:], nil)
+	_, err = gcm.Open(pt[12:][:0], seed[:12], seed[12:], nil)
 	if err != nil {
 		return nil, err
 	}

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-69jw-4jj8-fcxmghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2025-13353ghsaADVISORY
github.com/cloudflare/gokey/commit/f261819e99ea169843bd5aa3e643d046260ff511ghsaWEB
github.com/cloudflare/gokey/security/advisories/GHSA-69jw-4jj8-fcxmghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000