CVE-2025-58359
September 04, 2025
ZF FROST is a Rust implementation of FROST (Flexible Round-Optimised Schnorr Threshold signatures). In versions 2.0.0 through 2.1.0, refresh shares with smaller min_signers will reduce security of group. The inability to change min_signers (i.e. the threshold) with the refresh share functionality (frost_core::keys::refresh module) was not made clear to users. Using a smaller value would not decrease the threshold, and attempts to sign using a smaller threshold would fail. Additionally, after refreshing the shares with a smaller threshold, it would still be possible to sign with the original threshold, potentially causing a security loss to the participant's shares. This issue is fixed in version 2.2.0.
Affected Packages
https://github.com/ZcashFoundation/frost.git (GITHUB):
Affected version(s) >=frost-core/v0.1.0 <frost-core/v2.2.0Fix Suggestion:
Update to version frost-core/v2.2.0frost-core (RUST):
Affected version(s) >=0.1.0 <2.2.0Fix Suggestion:
Update to version 2.2.0Related ResourcesĀ (5)
Do you need more information?
Contact UsCVSS v4
Base Score:
6
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
PRESENT
Privileges Required
LOW
User Interaction
NONE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
NONE
Vulnerable System Availability
NONE
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
5.3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
NONE
Integrity
LOW
Availability
NONE
EPSS
Base Score:
0.03
