Impact
Crypt::DSA versions prior to 1.21 reused the same per-signature nonce for every call to sign(), causing the DSA parameter 'r' to be identical across signatures. Because each new signature uses the same nonce, an observer who has access to two signatures from the same key can mathematically recover the private signing key. This vulnerability directly violates the DSA security model and leads to a total compromise of cryptographic credentials, categorized as CWE‑323.
Affected Systems
Perl installations that rely on the TIMLEGGE Crypt::DSA module and deploy a version older than 1.21 are vulnerable. Any environment that performed two or more signatures with a single Key object is at risk, as Crypt::DSA was deprecated in 1.20 and users should have moved away from it before this flaw was addressed. Consequently, all releases of Crypt::DSA from 1.0 up to but not including 1.21 are impacted.
Risk and Exploitability
The documented CVSS score of 9.1 marks the issue as critically severe, while the EPSS score of less than 1% indicates a low probability of exploitation at the time of this assessment. The flaw is not listed in the CISA KEV catalog. exploitation requires that an attacker can obtain two signatures produced by the same Key object; this is usually possible when an application performs multiple signatures locally or an attacker can influence the signing process. Once two such signatures are observed, the private key can be derived, giving the attacker full control over all future signatures and a complete breach of integrity and authenticity for any data signed with the compromised key.
OpenCVE Enrichment