{
  "schema_version": "1.4.0",
  "id": "GHSA-r38m-44fw-h886",
  "modified": "2025-03-03T20:22:19Z",
  "published": "2025-03-03T20:22:19Z",
  "aliases": [
    "CVE-2025-27498"
  ],
  "summary": "AEADs/ascon-aead: Plaintext exposed in decrypt_in_place_detached even on tag verification failure",
  "details": "### Summary\nIn `decrypt_in_place_detached`, the decrypted ciphertext (which is the correct ciphertext) is exposed even if the tag is incorrect.\n\n### Details\nThis is because in [decrypt_inplace](https://github.com/RustCrypto/AEADs/blob/8cda109f1128c4c7953a0bb0f53e1056d537e462/ascon-aead/src/asconcore.rs#L350-L364) in asconcore.rs, tag verification causes an error to be returned with the plaintext contents still in `buffer`. The root cause of this vulnerability is similar to https://github.com/RustCrypto/AEADs/security/advisories/GHSA-423w-p2w9-r7vq\n\n### PoC\n```rust\nuse ascon_aead::Tag;\nuse ascon_aead::{Ascon128, Key, Nonce};\nuse ascon_aead::aead::{AeadInPlace, KeyInit};\n\nfn main() {\n\n    let key = Key::<Ascon128>::from_slice(b\"very secret key.\");\n    let cipher = Ascon128::new(key);\n\n    let nonce = Nonce::<Ascon128>::from_slice(b\"unique nonce 012\"); // 128-bits; unique per message\n\n    let mut buffer: Vec<u8> = Vec::new(); // Buffer needs 16-bytes overhead for authentication tag\n    buffer.extend_from_slice(b\"plaintext message\");\n\n    // Encrypt `buffer` in-place detached, replacing the plaintext contents with ciphertext\n    cipher.encrypt_in_place_detached(nonce, b\"\", &mut buffer).expect(\"encryption failure!\");\n    \n    // Decrypt `buffer` in-place with the wrong tag, ignoring the decryption error\n    let _ = cipher.decrypt_in_place_detached(nonce, b\"\", &mut buffer, Tag::<Ascon128>::from_slice(b\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"));\n\n    assert_eq!(&buffer, b\"plaintext message\");\n}\n```\n### Impact\nIf a program continues to use the result of `decrypt_in_place_detached` after a decryption failure, the result will be unauthenticated. This may permit some forms of chosen ciphertext attacks (CCAs).",
  "severity": [
    {
      "type": "CVSS_V4",
      "score": "CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:A/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N"
    }
  ],
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "ascon_aead"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.4.3"
            }
          ]
        }
      ],
      "database_specific": {
        "last_known_affected_version_range": "<= 0.4.2"
      }
    }
  ],
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/RustCrypto/AEADs/security/advisories/GHSA-r38m-44fw-h886"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27498"
    },
    {
      "type": "WEB",
      "url": "https://github.com/RustCrypto/AEADs/commit/d1d749ba57e38e65b0e037cd744d0b17f7254037"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/RustCrypto/AEADs"
    }
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-347"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2025-03-03T20:22:19Z",
    "nvd_published_at": "2025-03-03T17:15:16Z"
  }
}