CVE-2025-13353: Gokey Vulnerability Exposes Seed-Based Password Generation

Overview

CVE-2025-13353 identifies a critical vulnerability in gokey versions prior to 0.2.0. This flaw impacts the generation of passwords when using a seed file (-s option). The issue lies within the seed decryption logic, leading to passwords being derived incorrectly from only the initial vector and the AES-GCM authentication tag of the key seed. Gokey version 0.2.0 addresses this vulnerability, but it’s a breaking change that invalidates previously generated secrets.

Technical Details

The core issue resided in how gokey versions before 0.2.0 utilized the seed file for password generation. Instead of using the entire seed file (240 bytes) as entropy, only a portion (28 bytes) was effectively used. This significantly reduced the entropy of generated passwords, making them more susceptible to attacks. The vulnerability stems from an error in the seed decryption process.

CVSS Analysis

As of this writing, a CVSS score is not available for CVE-2025-13353. However, given the potential for compromised passwords and secrets, this vulnerability is likely to be rated as High or Critical.

Possible Impact

This vulnerability specifically impacts keys/secrets generated using a seed file (-s option). Keys/secrets generated solely from the master password (without the -s option) are not affected. The confidentiality of the seed file itself remains intact. Specific impacts include:

• Keys/secrets generated from a seed file may have lower entropy than intended.
• A malicious actor possessing the seed file could potentially recover all passwords derived from that seed, even without knowing the master password.

Mitigation and Patch Steps

The recommended mitigation is to upgrade to gokey version 0.2.0 or later. This version contains the fix for the vulnerability. However, be aware that this is a breaking change, and previously generated secrets will be different even with the same seed file.

System Secret Rotation Guidance

It is crucial to regenerate passwords/secrets using the patched version of gokey (0.2.0 or above) and rotate these secrets in your systems. The specific rotation procedure depends on the system in question. Here are some common patterns:

Systems That Do Not Require the Old Password/Secret for Rotation

Use the system’s “Forgot Password” or similar facility to reset the password and input the newly generated secret.

Systems That Require the Old Password/Secret for Rotation

1. Temporarily download gokey version 0.1.3 from the official GitHub repository to recover the old password: https://github.com/cloudflare/gokey/releases/tag/v0.1.3
2. Use gokey version 0.2.0 or above to generate the new password.
3. Populate the system’s password rotation form with the old and new passwords.

Systems That Allow Multiple Credentials for the Same Account

1. Generate a new secret/key/credential using gokey version 0.2.0 or above.
2. Provision the new secret/key/credential in addition to the existing credential.
3. Verify that access is still possible with the new credential.
4. Revoke authorization for the old credential.

References

• GitHub Security Advisory: https://github.com/cloudflare/gokey/security/advisories/GHSA-69jw-4jj8-fcxm
• Gokey GitHub Repository: https://github.com/cloudflare/gokey

Credit

This vulnerability was found by Théo Cusnir (@mister_mime) and responsibly disclosed through Cloudflare’s bug bounty program.