{"ecosystem":"cargo","package":"ed25519-dalek","version":null,"bugs":[{"id":936,"ecosystem":"cargo","package_name":"ed25519-dalek","affected_version":"0.0.0-0","fixed_version":"2.0.0","bug_id":"osv:RUSTSEC-2022-0093","title":"Double Public Key Signing Function Oracle Attack on `ed25519-dalek`","description":"Versions of `ed25519-dalek` prior to v2.0 model private and public keys as\nseparate types which can be assembled into a `Keypair`, and also provide APIs\nfor serializing and deserializing 64-byte private/public keypairs.\n\nSuch APIs and serializations are inherently unsafe as the public key is one of\nthe inputs used in the deterministic computation of the `S` part of the signature,\nbut not in the `R` value. An adversary could somehow use the signing function as\nan oracle that allows arbitrary public keys as input can obtain two signatures\nfor the same message sharing the same `R` and only differ on the `S` part.\n\nUnfortunately, when this happens, one can easily extract the private key.\n\nRevised public APIs in v2.0 of `ed25519-dalek` do NOT allow a decoupled\nprivate/public keypair as signing input, except as part of specially labeled\n\"hazmat\" APIs which are clearly labeled as being dangerous if misused.","severity":"medium","status":"fixed","source":"osv","source_url":"https://crates.io/crates/ed25519-dalek","labels":["CVE-2022-50237","GHSA-w5vr-6qhr-36cc"],"created_at":"2026-04-19 04:32:17.369929+00:00","updated_at":"2026-04-19 04:32:17.369929+00:00"},{"id":935,"ecosystem":"cargo","package_name":"ed25519-dalek","affected_version":null,"fixed_version":"2.0.0","bug_id":"osv:GHSA-w5vr-6qhr-36cc","title":"`ed25519-dalek` Double Public Key Signing Function Oracle Attack","description":"Versions of `ed25519-dalek` prior to v2.0 model private and public keys as separate types which can be assembled into a `Keypair`, and also provide APIs for serializing and deserializing 64-byte private/public keypairs.\n\nSuch APIs and serializations are inherently unsafe as the public key is one of the inputs used in the deterministic computation of the `S` part of the signature, but not in the `R` value. An adversary could somehow use the signing function as an oracle that allows arbitrary public keys as input can obtain two signatures for the same message sharing the same `R` and only differ on the `S` part.\n\nUnfortunately, when this happens, one can easily extract the private key.\n\nRevised public APIs in v2.0 of `ed25519-dalek` do NOT allow a decoupled private/public keypair as signing input, except as part of specially labeled \"hazmat\" APIs which are clearly labeled as being dangerous if misused.","severity":"medium","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-50237","labels":["CVE-2022-50237","RUSTSEC-2022-0093"],"created_at":"2026-04-19 04:32:17.368995+00:00","updated_at":"2026-04-19 04:32:17.368995+00:00"}],"total":2,"_cache":"hit"}