Critical severityOSV Advisory· Published Nov 25, 2025· Updated Apr 15, 2026
CVE-2025-66016
CVE-2025-66016
Description
CGGMP24 is a state-of-art ECDSA TSS protocol that supports 1-round signing (requires 3 preprocessing rounds), identifiable abort, and a key refresh protocol. Prior to version 0.6.3, there is a missing check in the ZK proof that enables an attack in which single malicious signer can reconstruct full private key. This issue has been patched in version 0.6.3, for full mitigation it is recommended to upgrade to cggmp24 version 0.7.0-alpha.2 as it contains more security checks.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
cggmp21crates.io | < 0.6.3 | 0.6.3 |
cggmp24crates.io | < 0.7.0-alpha.2 | 0.7.0-alpha.2 |
Affected products
1- Range: audit-1, cggmp21-keygen-v0.1.0, cggmp21-keygen-v0.3.1, …
Patches
160e0ada5291eAdd missing check
4 files changed · +18 −6
Cargo.lock+3 −4 modified@@ -298,7 +298,7 @@ checksum = "baf1de4339761588bc0619e3cbc0120ee582ebb74b53b4efbf79117bd2da40fd" [[package]] name = "cggmp21" -version = "0.6.1" +version = "0.6.2" dependencies = [ "cggmp21-keygen", "digest", @@ -1645,9 +1645,8 @@ dependencies = [ [[package]] name = "paillier-zk" -version = "0.4.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "41f7666e5a36fe77ef28a4f8306367a759c7caacbdf8eeea89f524ccc2ade933" +version = "0.4.3" +source = "git+https://github.com/dfnsco/paillier-zk-private-security-fix?branch=cggmp21%2Fadd-missing-check#91ce589ebed7b5cf92f0f77240d515377002eff1" dependencies = [ "digest", "fast-paillier",
Cargo.toml+1 −1 modified@@ -19,7 +19,7 @@ generic-ec = { version = "0.4.1", default-features = false } generic-ec-zkp = { version = "0.4.1", default-features = false } round-based = { version = "0.4.1", default-features = false } -paillier-zk = "0.4.1" +paillier-zk = { version = "0.4.3", git = "https://github.com/dfnsco/paillier-zk-private-security-fix", branch = "cggmp21/add-missing-check" } udigest = { version = "0.2.1", default-features = false } digest = { version = "0.10", default-features = false }
cggmp21/Cargo.toml+1 −1 modified@@ -1,6 +1,6 @@ [package] name = "cggmp21" -version = "0.6.2" +version = "0.6.3" edition = "2021" license = "MIT OR Apache-2.0" description = "TSS ECDSA implementation based on CGGMP21 paper"
cggmp21/CHANGELOG.md+13 −0 modified@@ -1,5 +1,18 @@ # Changelog +## v0.6.3 +* Use `paillier-zk v0.4.3` that has patched ZK proof which includes a missing check + +> [!WARNING] +> This library version implements CGGMP21 which uses Zero-Knowledge proofs as defined the CGGMP21 +> paper, which contains a critical vulnerability that could lead to full private key recovery. +> +> While we have patched this specific high-severity issue, ZK proofs still lacks other important +> security checks introduced in the revised CGGMP24 paper. The absence of these checks may expose +> other security risks. +> +> For complete protection, please upgrade to the CGGMP24. + ## v0.6.2 * Update the protocol to match the spec
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-m95p-425x-x889ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-66016ghsaADVISORY
- github.com/LFDT-Lockness/cggmp21/commit/60e0ada5291e771d5649793329d99edd32285e72ghsaWEB
- github.com/LFDT-Lockness/cggmp21/security/advisories/GHSA-m95p-425x-x889nvdWEB
- rustsec.org/advisories/RUSTSEC-2025-0129.htmlghsaWEB
- rustsec.org/advisories/RUSTSEC-2025-0130.htmlghsaWEB
- www.dfns.co/article/cggmp21-vulnerabilities-patched-and-explainednvdWEB
News mentions
0No linked articles in our index yet.