Improper Validation of Specified Type of Input in keylime | CVE-2025-1057

Q: How to fix?

Upgrade keylime to version 7.12.1 or higher.

Threat Intelligence

Not Defined

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk IDSNYK-PYTHON-KEYLIME-8730851
published16 Feb 2025
disclosed14 Feb 2025
creditAnderson Toshiyuki Sasaki

Report a new vulnerability Found a mistake?

Introduced: 14 Feb 2025

NewCVE-2025-1057 (opens in a new tab) CWE-1287 (opens in a new tab)

How to fix?

Upgrade keylime to version 7.12.1 or higher.

Overview

keylime is a TPM-based key bootstrapping and system integrity measurement system for cloud

Affected versions of this package are vulnerable to Improper Validation of Specified Type of Input due to the registrar process. An attacker can cause the application to fail by populating the database with multiple valid agent registrations with different UUIDs while the version is still below 7.12.0. Then, upon updating to version 7.12.0, any query to the database matching any of the entries populated by the attacker will result in failure.

Workaround

This vulnerability can be mitigated by removing the registrar database and re-registering all agents

References

GitHub Commit

CVSS Scores

version 4.0

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
Low
Attack Requirements (AT)
None
Privileges Required (PR)
None
User Interaction (UI)
All

Confidentiality (VC)
None
Integrity (VI)
None
Availability (VA)
Low

Confidentiality (SC)
None
Integrity (SI)
None
Availability (SA)
None

Improper Validation of Specified Type of Input Affecting keylime package, versions [7.12.0, 7.12.1)

Severity