Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-66016

CVE-2025-66016: CGGMP24 ECDSA TSS Privilege Escalation

CVE-2025-66016 is a privilege escalation vulnerability in CGGMP24 ECDSA TSS protocol where a missing ZK proof check allows a malicious signer to reconstruct the full private key. This article covers technical details, affected versions, impact, and mitigation steps.

Published:

CVE-2025-66016 Overview

CVE-2025-66016 is a critical cryptographic vulnerability affecting the CGGMP24 ECDSA Threshold Signature Scheme (TSS) protocol implementation. CGGMP24 is a state-of-the-art protocol that supports 1-round signing (requiring 3 preprocessing rounds), identifiable abort, and a key refresh protocol. Prior to version 0.6.3, a missing check in the Zero-Knowledge (ZK) proof validation enables a devastating attack where a single malicious signer can reconstruct the full private key, completely compromising the security guarantees of the threshold signature scheme.

Critical Impact

A single malicious participant in a threshold signing group can extract the complete private key, defeating the entire purpose of distributed key management and enabling unauthorized transaction signing or credential theft.

Affected Products

  • CGGMP24 (cggmp21) versions prior to 0.6.3
  • CGGMP24 (cggmp21) versions prior to 0.7.0-alpha.2 (for complete mitigation)
  • Applications utilizing the LFDT-Lockness/cggmp21 library for threshold ECDSA signing

Discovery Timeline

  • 2025-11-25 - CVE-2025-66016 published to NVD
  • 2025-11-25 - Last updated in NVD database

Technical Details for CVE-2025-66016

Vulnerability Analysis

This vulnerability falls under CWE-345 (Insufficient Verification of Data Authenticity), representing a fundamental flaw in the cryptographic protocol implementation. The CGGMP24 protocol relies on Zero-Knowledge proofs to ensure that each party in the threshold signing scheme behaves honestly without revealing their secret key shares. When these ZK proofs are not properly validated, the cryptographic guarantees of the protocol completely break down.

In threshold signature schemes like CGGMP24, the private key is split among multiple parties such that no single party possesses the complete key. Signing operations require cooperation from a threshold number of participants, providing security even if some parties are compromised. However, this vulnerability allows a malicious signer to exploit the missing verification check to extract key share information from honest participants, ultimately reconstructing the complete private key.

Root Cause

The root cause is a missing verification check in the Zero-Knowledge proof validation logic within the CGGMP24 implementation. During the signing protocol execution, parties exchange ZK proofs to demonstrate knowledge of their secret shares without revealing them. The vulnerable code path fails to properly validate certain components of these proofs, allowing a malicious party to craft specially constructed proof responses that leak information about other participants' key shares across multiple signing sessions.

Attack Vector

The attack is network-accessible and can be executed by any party that is legitimately part of the threshold signing group. The malicious signer participates in the signing protocol normally but crafts their protocol messages to extract information from honest parties' responses. By participating in multiple signing sessions (or potentially even a single session depending on the specific implementation details), the attacker can accumulate enough information to mathematically reconstruct the full private key.

The attack does not require any special privileges beyond being a legitimate participant in the threshold signature scheme. No user interaction is needed beyond the normal signing protocol execution. Once the private key is reconstructed, the attacker can sign arbitrary messages, forge transactions, or impersonate the legitimate key holder without any further cooperation from other parties.

Detection Methods for CVE-2025-66016

Indicators of Compromise

  • Unusual patterns in threshold signing protocol messages from specific participants
  • Single participant initiating an abnormally high number of signing sessions
  • Transactions or signatures appearing without proper multi-party authorization workflows
  • Evidence of key material being used outside the expected threshold signing infrastructure

Detection Strategies

  • Audit all signing sessions for protocol compliance and message integrity
  • Implement additional logging around ZK proof generation and verification steps
  • Monitor for unauthorized use of keys that should only be accessible through threshold signing
  • Review signing session logs for anomalous participant behavior patterns

Monitoring Recommendations

  • Enable comprehensive audit logging for all threshold signature operations
  • Implement anomaly detection for signing session frequency and participant patterns
  • Monitor blockchain or transaction systems for unexpected signatures from threshold-protected keys
  • Establish alerts for any signing activity outside normal operational windows

How to Mitigate CVE-2025-66016

Immediate Actions Required

  • Upgrade to cggmp24 version 0.6.3 or later immediately to address the ZK proof verification bypass
  • For complete mitigation with additional security checks, upgrade to cggmp24 version 0.7.0-alpha.2
  • Audit all systems using the LFDT-Lockness/cggmp21 library for vulnerable versions
  • Consider key rotation for any threshold signature keys that may have been used with vulnerable versions
  • Review signing session logs to identify potential exploitation attempts

Patch Information

The vulnerability has been patched in cggmp24 version 0.6.3. However, the vendor recommends upgrading to version 0.7.0-alpha.2 for full mitigation, as this release contains additional security checks that provide defense-in-depth against similar protocol-level attacks.

For technical details on the vulnerability and patch, refer to the GitHub Security Advisory and the DFNS technical article explaining the vulnerability and remediation steps.

Workarounds

  • Restrict threshold signing operations to fully trusted environments while awaiting patch deployment
  • Implement additional out-of-band verification for all signing operations
  • Consider temporarily suspending automated signing workflows until patched versions are deployed
  • Enhance participant authentication and monitoring for threshold signing ceremonies
bash
# Upgrade to patched version
# Using cargo (Rust package manager)
cargo update -p cggmp24 --precise 0.7.0-alpha.2

# Verify installed version
cargo tree -p cggmp24

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.