Medium severity5.3OSV Advisory· Published Dec 14, 2025· Updated Apr 15, 2026
CVE-2025-67897
CVE-2025-67897
Description
In Sequoia before 2.1.0, aes_key_unwrap panics if passed a ciphertext that is too short. A remote attacker can take advantage of this issue to crash an application by sending a victim an encrypted message with a crafted PKESK or SKESK packet.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
sequoia-openpgpcrates.io | < 2.1.0 | 2.1.0 |
Affected products
1- Range: autocrypt/v0.23.0, autocrypt/v0.23.1, autocrypt/v0.24.0, …
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- github.com/advisories/GHSA-v6x3-9r38-r27qghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-67897ghsaADVISORY
- bugs.debian.org/1122582nvdWEB
- gitlab.com/sequoia-pgp/sequoia/-/blob/b59886e5e7bdf7169ed330f309a6633d131776e5/openpgp/NEWSnvdWEB
- gitlab.com/sequoia-pgp/sequoia/-/commit/b59886e5e7bdf7169ed330f309a6633d131776e5nvdWEB
- rustsec.org/advisories/RUSTSEC-2025-0136.htmlghsaWEB
News mentions
0No linked articles in our index yet.