AI description
CVE-2025-59534 is a command injection vulnerability found in CryptoLib, a software solution used for secure communication between spacecraft and ground stations. Specifically, the vulnerability exists in the `initialize_kerberos_keytab_file_login()` function. The flaw arises because the code directly incorporates user-controlled input into a shell command without proper validation or sanitization, and then executes this command using `system()`. This vulnerability, present in CryptoLib versions prior to 1.4.2, was patched in version 1.4.2. The vulnerability remained hidden for three years, between September 2022 and September 2025.
- Description
- CryptoLib provides a software-only solution using the CCSDS Space Data Link Security Protocol - Extended Procedures (SDLS-EP) to secure communications between a spacecraft running the core Flight System (cFS) and a ground station. Prior to version 1.4.2, there is a command Injection vulnerability in initialize_kerberos_keytab_file_login(). The vulnerability exists because the code directly interpolates user-controlled input into a shell command and executes it via system() without any sanitization or validation. This issue has been patched in version 1.4.2.
- Source
- security-advisories@github.com
- NVD status
- Analyzed
- Products
- cryptolib
CVSS 3.1
- Type
- Primary
- Base score
- 7.8
- Impact score
- 5.9
- Exploitability score
- 1.8
- Vector string
- CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
- Severity
- HIGH
- security-advisories@github.com
- CWE-78
- Hype score
- Not currently trending
Just published a detailed writeup on CVE-2025-59534=a command-injection flaw we at @WeAreAisle uncovered in NASA's CryptoLib. It lived unnoticed for ~3 years in code responsible for securing spacecraft comms & was ironically added in a hardening code change. It's fixed no
@stanislavfort
28 Nov 2025
983 Impressions
0 Retweets
7 Likes
0 Bookmarks
2 Replies
0 Quotes
Command Injection in NASA CryptoLib (CVE-2025-59534) https://t.co/xRAbHmkpf8 https://t.co/k2ljuxlwyg
@blackorbird
28 Nov 2025
1983 Impressions
4 Retweets
22 Likes
3 Bookmarks
0 Replies
0 Quotes
CVE-2025-59534 | NASA CryptoLib up to 1.4.1 CCSDS Space Data Link Security Protocol initialize_kerberos_keytab_file_login os command injection (GHSA-jw5c-58hr-m3v3) #宇宙セキュリティ #宇宙 #セキュリティ #security #space #spacesecurity https://t.co/ZHRqegGM7M
@SpaceCyberSec
25 Sept 2025
13 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:nasa:cryptolib:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "E4DDC475-C0F4-45E8-B998-99004402B827",
"versionEndExcluding": "1.4.2"
}
],
"operator": "OR"
}
]
}
]