CVE-2025-30258
Public on 2025-03-19
Modified on 2025-07-17
Description
In GnuPG before 2.5.5, if a user chooses to import a certificate with certain crafted subkey data that lacks a valid backsig or that has incorrect usage flags, the user loses the ability to verify signatures made from certain other signing keys, aka a "verification DoS."
Exploitation of this vulnerability requires the customer to manually import a crafted certificate containing fingerprints that will then be used to verify signatures. Considering the tradeoff between the stability of Amazon Linux and the exploitation complexity of CVE-2025-30258, a fix will not be provided for gnupg2 in Amazon Linux 2 at this time. Users are advised to mitigate this issue by not importing suspicious GPG certificates and deleting any malicious keys from their keyrings.
Exploitation of this vulnerability requires the customer to manually import a crafted certificate containing fingerprints that will then be used to verify signatures. Considering the tradeoff between the stability of Amazon Linux and the exploitation complexity of CVE-2025-30258, a fix will not be provided for gnupg2 in Amazon Linux 2 at this time. Users are advised to mitigate this issue by not importing suspicious GPG certificates and deleting any malicious keys from their keyrings.
CVSS v3 Base Score
See breakdown
Affected Packages
| Platform | Package | Release Date | Advisory | Status |
|---|---|---|---|---|
| Amazon Linux 1 | gnupg | No Fix Planned | ||
| Amazon Linux 1 | gnupg2 | No Fix Planned | ||
| Amazon Linux 2 - Core | gnupg2 | No Fix Planned | ||
| Amazon Linux 2023 | gnupg2 | Pending Fix |
CVSS Scores
| Score Type | Score | Vector | |
|---|---|---|---|
| Amazon Linux | CVSSv3 | 3.3 | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L |
| NVD | CVSSv3 | 2.7 | CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:N/I:N/A:L |