Skip to main content

CVE-2025-52473: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor in open-quantum-safe liboqs

Medium
VulnerabilityCVE-2025-52473cvecve-2025-52473cwe-200
Published: Thu Jul 10 2025 (07/10/2025, 18:42:17 UTC)
Source: CVE Database V5
Vendor/Project: open-quantum-safe
Product: liboqs

Description

liboqs is a C-language cryptographic library that provides implementations of post-quantum cryptography algorithms. Multiple secret-dependent branches have been identified in the reference implementation of the HQC key encapsulation mechanism when it is compiled with Clang for optimization levels above -O0 (-O1, -O2, etc). A proof-of-concept local attack exploits this secret-dependent information to recover the entire secret key. This vulnerability is fixed in 0.14.0.

AI-Powered Analysis

AILast updated: 07/10/2025, 19:17:07 UTC

Technical Analysis

CVE-2025-52473 is a medium-severity vulnerability affecting liboqs, a C-language cryptographic library that implements post-quantum cryptography algorithms. The vulnerability arises in the reference implementation of the HQC (Hamming Quasi-Cyclic) key encapsulation mechanism when compiled with Clang at optimization levels higher than -O0 (such as -O1, -O2, etc). Specifically, multiple secret-dependent branches exist in the code, which can leak sensitive information through side channels. A local attacker can exploit this by analyzing these secret-dependent branches to recover the entire secret key used in the HQC scheme. This exposure constitutes a breach of confidentiality (CWE-200) without affecting integrity or availability. The vulnerability does not require any privileges or user interaction but does require local access to the system. The issue has been addressed and fixed in liboqs version 0.14.0. The CVSS v3.1 base score is 5.9, reflecting a medium severity due to the network attack vector with high attack complexity and no privileges or user interaction required. No known exploits are currently in the wild. The vulnerability highlights the risks of side-channel leaks in cryptographic implementations, especially in emerging post-quantum cryptography libraries that are critical for future-proofing cryptographic security against quantum adversaries.

Potential Impact

For European organizations, this vulnerability poses a significant risk to the confidentiality of cryptographic keys used in post-quantum secure communications or data protection. Organizations adopting liboqs for quantum-resistant cryptography, particularly in sectors like finance, government, defense, and critical infrastructure, could have their secret keys exposed if vulnerable versions are used. This exposure could lead to unauthorized decryption of sensitive communications or data, undermining trust in post-quantum cryptographic solutions. Although exploitation requires local access, insider threats or compromised hosts could leverage this vulnerability to escalate access or exfiltrate secrets. The impact is particularly relevant as Europe is actively investing in quantum-safe cryptography research and deployment, meaning that vulnerable liboqs versions might be integrated into experimental or production systems. The confidentiality breach could also affect compliance with GDPR and other data protection regulations, as cryptographic key exposure may lead to unauthorized data access.

Mitigation Recommendations

European organizations should immediately audit their use of liboqs and verify the version in deployment. Any version prior to 0.14.0 should be upgraded to 0.14.0 or later to apply the fix. Since the vulnerability is related to compiler optimization, organizations should also review their build processes to ensure that secure compilation flags are used and consider recompiling cryptographic libraries with mitigations against secret-dependent branching side channels. Employing additional side-channel resistant coding practices and constant-time implementations is advisable. Access controls should be strengthened to limit local access to systems running liboqs, reducing the risk of local exploitation. Monitoring for unusual local activity and conducting regular security assessments of cryptographic modules can help detect attempts to exploit such vulnerabilities. Finally, organizations should stay informed about updates from the open-quantum-safe project and apply patches promptly.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
GitHub_M
Date Reserved
2025-06-17T02:28:39.717Z
Cvss Version
3.1
State
PUBLISHED

Threat ID: 68700df4a83201eaaca957d5

Added to database: 7/10/2025, 7:01:08 PM

Last enriched: 7/10/2025, 7:17:07 PM

Last updated: 7/11/2025, 2:29:13 AM

Views: 3

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats