CVE-2025-1057
Keylime registrar is vulnerable to Denial-of-Service attack when updated to version 7.12.0
Description
### Impact The Keylime `registrar` implemented more strict type checking on version 7.12.0. As a result, when updated to version 7.12.0, the `registrar` will not accept the format of the data previously stored in the database by versions >= 7.8.0, raising an exception. This makes the Keylime `registrar` vulnerable to a Denial-of-Service attack in an update scenario, as an attacker could populate the `registrar` database by creating multiple valid agent registrations with different UUIDs while the version is still < 7.12.0. Then, when the Keylime `registrar` is updated to the 7.12.0 version, any query to the database matching any of the entries populated by the attacker will result in failure. ### Patches Users should upgrade to versions >= 7.12.1 ### Workarounds - Remove the registrar database and re-register all agents ### Credit Reported by: Anderson Toshiyuki Sasaki/@ansasaki Patched by: Anderson Toshiyuki Sasaki/@ansasaki
How to fix CVE-2025-1057
To remediate CVE-2025-1057, upgrade the affected package to a fixed version below.
- —upgrade to 7.12.1 or later
Is CVE-2025-1057 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- >= 7.12.0, < 7.12.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM4.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L |