crates.io package
sequoia-openpgp
pkg:cargo/sequoia-openpgp
Vulnerabilities (3)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-67897 | Med | 5.3 | < 2.1.0 | 2.1.0 | Dec 14, 2025 | In Sequoia before 2.1.0, aes_key_unwrap panics if passed a ciphertext that is too short. A remote attacker can take advantage of this issue to crash an application by sending a victim an encrypted message with a crafted PKESK or SKESK packet. | |
| CVE-2023-53160 | — | < 1.1.1 | 1.1.1 | Jul 28, 2025 | The sequoia-openpgp crate before 1.16.0 for Rust allows out-of-bounds array access and a panic. | ||
| CVE-2024-58261 | — | >= 1.13.0, < 1.21.0 | 1.21.0 | Jul 27, 2025 | The sequoia-openpgp crate 1.13.0 before 1.21.0 for Rust allows an infinite loop of "Reading a cert: Invalid operation: Not a Key packet" messages for RawCertParser operations that encounter an unsupported primary key type. |
- affected < 2.1.0fixed 2.1.0
In Sequoia before 2.1.0, aes_key_unwrap panics if passed a ciphertext that is too short. A remote attacker can take advantage of this issue to crash an application by sending a victim an encrypted message with a crafted PKESK or SKESK packet.
- CVE-2023-53160Jul 28, 2025affected < 1.1.1fixed 1.1.1
The sequoia-openpgp crate before 1.16.0 for Rust allows out-of-bounds array access and a panic.
- CVE-2024-58261Jul 27, 2025affected >= 1.13.0, < 1.21.0fixed 1.21.0
The sequoia-openpgp crate 1.13.0 before 1.21.0 for Rust allows an infinite loop of "Reading a cert: Invalid operation: Not a Key packet" messages for RawCertParser operations that encounter an unsupported primary key type.