CVE-2025-13470

Summary

In RNP version 0.18.0 a refactoring regression causes the symmetric session key used for Public-Key Encrypted Session Key (PKESK) packets to be left uninitialized except for zeroing, resulting in it always being an all-zero byte array.

Any data encrypted using public-key encryption in this release can be decrypted trivially by supplying an all-zero session key, fully compromising confidentiality.

The vulnerability affects only public key encryption (PKESK packets).  Passphrase-based encryption (SKESK packets) is not affected.

Root cause: Vulnerable session key buffer used in PKESK packet generation.

The defect was introduced in commit 7bd9a8dc356aae756b40755be76d36205b6b161a where initialization logic inside encrypted_build_skesk() only randomized the key for the SKESK path and omitted it for the PKESK path.

Affected Software

VendorProductVersion RangeStatus
RiboseRNP0.18.0affected

Weaknesses

  • CWE-330: CWE-330 Use of Insufficiently Random Values

Workarounds

No workaround.  All PKESK-encrypted ciphertext produced with 0.18.0 is compromised.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References