Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-325 (缺少必要的密码学步骤) — Vulnerability Class 35

35 vulnerabilities classified as CWE-325 (缺少必要的密码学步骤). AI Chinese analysis included.

CWE-325 represents a critical implementation flaw where software fails to execute a mandatory step within a cryptographic algorithm, thereby undermining the security guarantees promised by the underlying protocol. This weakness typically manifests when developers omit essential operations such as proper padding, key derivation, or initialization vector handling, resulting in ciphertext that is significantly easier to break than intended. Attackers exploit this gap by leveraging the reduced entropy or structural predictability to perform statistical analysis, brute-force attacks, or known-plaintext attacks that would otherwise be computationally infeasible against a correctly implemented cipher. To prevent this vulnerability, developers must rigorously adhere to standardized cryptographic libraries and specifications, ensuring every algorithmic step is explicitly coded and verified. Comprehensive code reviews and automated static analysis tools can further detect missing steps, ensuring that the final implementation matches the theoretical security model of the chosen cryptographic primitive.

MITRE CWE Description
The product does not implement a required step in a cryptographic algorithm, resulting in weaker encryption than advertised by the algorithm.
Common Consequences (3)
Access ControlBypass Protection Mechanism
Confidentiality, IntegrityRead Application Data, Modify Application Data
Accountability, Non-RepudiationHide Activities
Examples (1)
The example code is taken from the HMAC engine inside the buggy OpenPiton SoC of HACK@DAC'21 [REF-1358]. HAMC is a message authentication code (MAC) that uses both a hash and a secret crypto key. The HMAC engine in HACK@DAC SoC uses the SHA-256 module for the calculation of the HMAC for 512 bits messages.
logic [511:0] bigData; ... hmac hmac( .clk_i(clk_i), .rst_ni(rst_ni && ~rst_4), .init_i(startHash && ~startHash_r), .key_i(key), .ikey_hash_i(ikey_hash), .okey_hash_i(okey_hash), .key_hash_bypass_i(key_hash_bypass), .message_i(bigData), .hash_o(hash), .ready_o(ready), .hash_valid_o(hashValid)
Bad · Verilog
CVE IDTitleCVSSSeverityPublished
CVE-2026-41395 OpenClaw < 2026.3.28 - Webhook Replay via Query Parameter Reordering in Plivo V3 — OpenClaw 7.5 High2026-04-28
CVE-2026-29142 Plaintext secure-mail.html — Secure Email Gateway 7.5AIHighAI2026-04-02
CVE-2026-4601 jsrsasign 安全漏洞 — jsrsasign 8.7 High2026-03-23
CVE-2025-47383 Missing Cryptographic Step in Data Modem — Snapdragon 7.2 High2026-03-02
CVE-2025-69418 Unauthenticated/unencrypted trailing bytes with low-level OCB function calls — OpenSSL 9.1AICriticalAI2026-01-27
CVE-2026-22863 Deno node:crypto doesn't finalize cipher — deno 7.5 -2026-01-15
CVE-2025-60704 Windows Kerberos Elevation of Privilege Vulnerability — Windows 10 Version 1607 7.5 High2025-11-11
CVE-2025-59339 The Bastion ttyrec files are not signed after encryption by the osh-encrypt-rsync script — the-bastion 4.4 Medium2025-09-17
CVE-2025-58359 frost-core: refresh shares with smaller min_signers will reduce group security — frost 6.5AIMediumAI2025-09-04
CVE-2025-49600 Mbed TLS 安全漏洞 — mbedtls 4.9 Medium2025-07-04
CVE-2015-20112 Ethereum RLPx 安全漏洞 — RLPx 3.4 Low2025-06-29
CVE-2025-3938 Missing Cryptographic Step — Niagara Framework 6.8 Medium2025-05-22
CVE-2025-30147 ALTBN128_ADD, ALTBN128_MUL, ALTBN128_PAIRING precompile functions do not check if points are on curve — besu-native 7.5AIHighAI2025-05-07
CVE-2022-20793 Cisco Touch 10 Device Insufficient Identity Verification Vulnerability — Cisco RoomOS Software 6.8 Medium2024-11-15
CVE-2024-43547 Windows Kerberos Information Disclosure Vulnerability — Windows 10 Version 1809 6.5 Medium2024-10-08
CVE-2023-39199 Zoom Client 加密问题漏洞 — Zoom Clients 4.9 Medium2023-11-14
CVE-2023-40012 uthenticode EKU validation bypass — uthenticode 5.9 Medium2023-08-09
CVE-2023-34471 Missing Cryptographic Step — MegaRAC_SPx 6.3 Medium2023-07-05
CVE-2023-28999 Nextcloud: Lack of authenticity of metadata keys allows a malicious server to gain access to E2EE folders — security-advisories 6.9 Medium2023-04-04
CVE-2023-28998 Nextcloud Desktop client misbehaves with E2EE when the server returns empty list of metadata keys — security-advisories 6.7 Medium2023-04-04
CVE-2022-30115 curl 安全漏洞 — https://github.com/curl/curl 4.3 -2022-06-01
CVE-2022-29229 Missing Cryptographic Step in cassproject — CASS 6.3 Medium2022-05-18
CVE-2022-20742 Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software IPsec IKEv2 VPN Information Disclosure Vulnerability — Cisco Adaptive Security Appliance (ASA) Software 7.4 High2022-05-03
CVE-2022-1279 Insecure EBICS messages encryption implementation in ebics-java/ebics-java-client could allow an adjacent attacker to decrypt EBICS payloads — ebics-java-client 6.5 Medium2022-04-14
CVE-2021-22946 libcurl 安全漏洞 — https://github.com/curl/curl 9.1 -2021-09-29
CVE-2021-3680 Missing Cryptographic Step in star7th/showdoc — star7th/showdoc 6.5 -2021-08-04
CVE-2020-26244 Cryptographic issues in Python oic — pyoidc 6.8 Medium2020-12-02
CVE-2020-15098 Missing Required Cryptographic Step Leading to Sensitive Information Disclosure in TYPO3 CMS — TYPO3 CMS 8.8 High2020-07-29
CVE-2020-10702 QEMU 安全漏洞 — qemu 5.5 Medium2020-06-04
CVE-2019-3738 Dell RSA BSAFE Crypto-J 数据伪造问题漏洞 — RSA BSAFE Crypto-J 6.5 -2019-09-18

Vulnerabilities classified as CWE-325 (缺少必要的密码学步骤) represent 35 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.