Use of Hard-coded Cryptographic Key Affecting openmls package, versions <0.7.1

Q: How to fix?

Upgrade openmls to version 0.7.1 or higher.

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk IDSNYK-RUST-OPENMLS-13110037
published29 Sept 2025
disclosed26 Sept 2025
crediterdoganege

Report a new vulnerability Found a mistake?

Introduced: 26 Sep 2025

CWE-321 (opens in a new tab)

How to fix?

Upgrade openmls to version 0.7.1 or higher.

Overview

Affected versions of this package are vulnerable to Use of Hard-coded Cryptographic Key due to improper updating of secret key material in the secret tree during message processing. An attacker can access and decrypt additional private messages by obtaining the client’s state and exploiting the persistence of outdated decryption keys. This is only exploitable if an adversary gains access to the client’s state.

Workaround

This vulnerability can be mitigated by increasing the frequency of group commits to advance epochs, or by sending a private message for each sender of previously received messages using the same group object without reloading it from storage in between.

References

GitHub Commit

CVSS Base Scores

version 4.0

version 3.1

Attack Vector (AV)
Local
Attack Complexity (AC)
High
Attack Requirements (AT)
None
Privileges Required (PR)
High
User Interaction (UI)
Passive

Confidentiality (VC)
High
Integrity (VI)
None
Availability (VA)
None

Confidentiality (SC)
None
Integrity (SI)
None
Availability (SA)
None