CVE-2025-15469 Overview
CVE-2025-15469 is an Input Validation Error vulnerability affecting the OpenSSL openssl dgst command-line tool. When using one-shot signing algorithms such as Ed25519, Ed448, or ML-DSA variants, the tool silently truncates input data to 16MB and reports success instead of an error. This creates a dangerous integrity gap where users may believe entire files larger than 16MB are authenticated, while trailing data beyond the 16MB boundary remains completely unauthenticated.
Critical Impact
Cryptographic operations on files larger than 16MB may leave trailing data unauthenticated, allowing undetected modification of file contents beyond the 16MB boundary when both signing and verification use the affected openssl dgst command.
Affected Products
- OpenSSL 3.5
- OpenSSL 3.6
- Systems using openssl dgst with Ed25519, Ed448, ML-DSA-44, ML-DSA-65, or ML-DSA-87 algorithms
Discovery Timeline
- 2026-01-27 - CVE CVE-2025-15469 published to NVD
- 2026-01-29 - Last updated in NVD database
Technical Details for CVE-2025-15469
Vulnerability Analysis
This vulnerability stems from improper handling of input data boundaries in the openssl dgst command-line tool when processing one-shot signing algorithms. One-shot algorithms, including Ed25519, Ed448, and the ML-DSA family (ML-DSA-44, ML-DSA-65, ML-DSA-87), require the entire message to be available before signing or verification can occur—they cannot process data incrementally like streaming digest algorithms.
The OpenSSL command-line tool implements a 16MB buffer limit for these operations. When input data exceeds this limit, the tool silently discards all data beyond 16MB and proceeds with cryptographic operations on only the truncated portion. Critically, no error or warning is reported to the user, contradicting the documented behavior.
The practical impact is significant for workflows that rely on the openssl dgst command for both signing and verification of large files. In such scenarios, an attacker could modify any portion of a file beyond the 16MB mark without invalidating the signature, as neither the signing nor verification process examines that data.
It is important to note that library API users and verifiers processing full messages through OpenSSL's programmatic interfaces are not affected—they will correctly reject signatures generated by the vulnerable command-line tool. Additionally, OpenSSL versions 3.4, 3.3, 3.0, 1.1.1, and 1.0.2 are not vulnerable, nor are the FIPS modules in 3.5 and 3.6.
Root Cause
The root cause is a boundary condition error in the openssl dgst command-line tool's input buffering implementation. The tool enforces a hardcoded 16MB buffer limit for one-shot signing algorithms but fails to properly validate that input data fits within this constraint. Instead of returning an error when input exceeds the buffer capacity, the implementation silently truncates the data and continues processing, violating the principle of fail-safe defaults and proper input validation (CWE-347: Improper Verification of Cryptographic Signature).
Attack Vector
The attack vector requires local access to the system where files are being signed or verified. An attacker must be able to modify target files that exceed 16MB in size and that are processed using the vulnerable openssl dgst command with one-shot signing algorithms.
The attack scenario proceeds as follows: a file larger than 16MB is signed using openssl dgst with an affected algorithm. An attacker then modifies data beyond the 16MB boundary. When verification is performed using the same vulnerable command, the modified trailing data is ignored, and the signature validates successfully despite the tampering.
This attack is constrained to environments where both signing and verification operations use the affected openssl dgst codepath. If verification occurs through library APIs or alternative tools that process the full message, the signature will be correctly rejected.
Detection Methods for CVE-2025-15469
Indicators of Compromise
- Unexpected truncation of cryptographic operations on files exceeding 16MB in size
- Signature verification succeeding on modified files when using openssl dgst with Ed25519, Ed448, or ML-DSA algorithms
- Log entries showing successful signing/verification of large files without corresponding full-file processing
Detection Strategies
- Audit scripts and workflows that use openssl dgst with one-shot signing algorithms (Ed25519, Ed448, ML-DSA variants) to identify operations on files potentially exceeding 16MB
- Implement file size checks before cryptographic operations to flag files exceeding the 16MB threshold
- Compare signature verification results between openssl dgst and library-based verification tools to identify discrepancies
Monitoring Recommendations
- Monitor for execution of openssl dgst commands with -sign or -verify flags combined with Ed25519, Ed448, or ML-DSA algorithm specifications
- Track file sizes being processed by signing and verification workflows to identify at-risk operations
- Implement integrity monitoring for critical files larger than 16MB that undergo cryptographic signing
How to Mitigate CVE-2025-15469
Immediate Actions Required
- Audit all systems running OpenSSL 3.5 or 3.6 for usage of openssl dgst with one-shot signing algorithms
- Implement file size validation checks before any signing or verification operations using affected algorithms
- Consider switching to library-based signing and verification for files exceeding 16MB until patches are applied
- Review and re-sign any critical files larger than 16MB that were signed using the affected command-line tool
Patch Information
OpenSSL has released patches addressing this vulnerability. The fixes ensure proper error handling when input data exceeds the buffer limit for one-shot signing algorithms. Patches are available in the following commits:
For detailed information, refer to the OpenSSL Security Advisory.
Workarounds
- Use streaming digest algorithms (such as SHA-256 with RSA or ECDSA) instead of one-shot algorithms for files that may exceed 16MB
- Implement application-level file size validation to reject files larger than 16MB before passing them to openssl dgst with affected algorithms
- Use OpenSSL library APIs directly for signing and verification operations on large files, as these correctly process the full message content
- Downgrade to OpenSSL 3.4 or earlier versions which are not affected by this vulnerability, if operationally feasible
# Workaround: Check file size before signing with one-shot algorithms
FILE_SIZE=$(stat -f%z "$FILE" 2>/dev/null || stat -c%s "$FILE")
MAX_SIZE=$((16 * 1024 * 1024))
if [ "$FILE_SIZE" -gt "$MAX_SIZE" ]; then
echo "Error: File exceeds 16MB limit for one-shot signing algorithms"
exit 1
fi
openssl dgst -sign private.pem -out signature.bin "$FILE"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
