VYPR
Get started
← All advisories
High severity8.2GHSA Advisory· Published Nov 24, 2025· Updated Apr 15, 2026

CVE-2025-13609

CVE-2025-13609

Description

A vulnerability has been identified in keylime where an attacker can exploit this flaw by registering a new agent using a different Trusted Platform Module (TPM) device but claiming an existing agent's unique identifier (UUID). This action overwrites the legitimate agent's identity, enabling the attacker to impersonate the compromised agent and potentially bypass security controls.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
keylimePyPI
< 7.13.07.13.0

Affected products

1

Patches

1
e1ae8de1f7b1

cloud_verifier_tornado: handle exception in notify_error()

https://github.com/keylime/keylimeSergio CorreiaAug 5, 2025via ghsa
commit
1 file changed · +6 1
  • keylime/cloud_verifier_tornado.py+6 1 modified
    @@ -1868,7 +1868,12 @@ async def notify_error(
     if "agent" in notifiers:
         verifier_id = config.get("verifier", "uuid", fallback=cloud_verifier_common.DEFAULT_VERIFIER_ID)
         with session_context() as session:
-            agents = session.query(VerfierMain).filter_by(verifier_id=verifier_id).all()
+            try:
+                agents = session.query(VerfierMain).filter_by(verifier_id=verifier_id).all()
+            except Exception as e:
+                logger.error("An issue happened querying the verifier for the list of agents to notify: %s", e)
+                return
+
             futures = []
             loop = asyncio.get_event_loop()
             # Notify all agents asynchronously through a thread pool

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

14

News mentions

0

No linked articles in our index yet.