CVE-2025-29991

Yubico YubiKey 5.4.1 through 5.7.3 before 5.7.4 has an incorrect FIDO CTAP PIN/UV Auth Protocol Two implementation. It uses the signature length from CTAP PIN/UV Auth Protocol One, even when CTAP PIN/UV Auth Protocol Two was chosen, resulting in a partial signature verification.

CVSS v3 2.2 LOW

2.2^/10

CVSS v3 : LOW

V3 Legend

Vector :

Exploitability : 0.8 / Impact : 1.4

Attack Vector LOCAL

Attack Complexity HIGH

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://www.yubico.com/support/security-advisories/ysa-2025-02/

Configurations

No configuration.

History

07 Apr 2025, 14:18

Type	Values Removed	Values Added
Summary		(es) Las versiones 5.4.1 a 5.7.3 de Yubico YubiKey, anteriores a la 5.7.4, tienen una implementación incorrecta del Protocolo de autenticación FIDO CTAP PIN/UV 2. Utilizan la longitud de firma del Protocolo de autenticación CTAP PIN/UV 1, incluso cuando se eligió este protocolo, lo que resulta en una verificación de firma parcial.

03 Apr 2025, 03:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-04-03 03:15

Updated : 2025-04-07 14:18

NVD link : CVE-2025-29991

Mitre link : CVE-2025-29991

CVE.ORG link : CVE-2025-29991

JSON object : View

Products Affected

No product.

CWE

CWE-1390

Weak Authentication

2.2 /10