SCA: security update for github.com/cloudflare/gokey (GHSA-69jw-4jj8-fcxm)

high Tenable Cloud Security Plugin ID 436185

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- In gokey versions <0.2.0, a flaw in the seed decryption logic resulted in passwords incorrectly being
derived solely from the initial vector and the AES-GCM authentication tag of the key seed. This issue has
been fixed in gokey version 0.2.0. This is a breaking change. The fix has invalidated any
passwords/secrets that were derived from the seed file (using the -s option). Even if the input seed file
stays the same, version 0.2.0 gokey will generate different secrets. Impact This vulnerability impacts
generated keys/secrets using a seed file as an entropy input (using the -s option). Keys/secrets generated
just from the master password (without the -s option) are not impacted. The confidentiality of the seed
itself is also not impacted (it is not required to regenerate the seed itself). Specific impact includes:
* keys/secrets generated from a seed file may have lower entropy: it was expected that the whole seed
would be used to generate keys (240 bytes of entropy input), where in vulnerable versions only 28 bytes
was used * a malicious entity could have recovered all passwords, generated from a particular seed, having
only the seed file in possession without the knowledge of the seed master password Patches The code logic
bug has been fixed in gokey version 0.2.0 and above. Due to the deterministic nature of gokey, fixed
versions will produce different passwords/secrets using seed files, as all seed entropy will be used now.
System secret rotation guidance It is advised for users to regenerate passwords/secrets using the patched
version of gokey (0.2.0 and above), and provision/rotate these secrets into respective systems in place of
the old secret. A specific rotation procedure is system-dependent, but most common patterns are described
below. Systems that do not require the old password/secret for rotation Such systems usually have a
"Forgot password" facility or a similar facility allowing users to rotate their password/secrets by
sending a unique "magic" link to the user's email or phone. In such cases users are advised to use this
facility and input the newly generated password secret, when prompted by the system. Systems that require
the old password/secret for rotation Such systems usually have a modal password rotation window usually in
the user settings section requiring the user to input the old and the new password sometimes with a
confirmation. To generate/recover the old password in such cases users are advised to: * temporarily
download gokey version 0.1.3 https://github.com/cloudflare/gokey/releases/tag/v0.1.3 for their respective
operating system to recover the old password * use gokey version 0.2.0 or above to generate the new
password * populate the system provided password rotation form Systems that allow multiple credentials for
the same account to be provisioned Such systems usually require a secret or a cryptographic key as a
credential for access, but allow several credentials at the same time. One example is SSH: a particular
user may have several authorized public keys configured on the SSH server for access. For such systems
users are advised to: * generate a new secret/key/credential using gokey version 0.2.0 or above *
provision the new secret/key/credential in addition to the existing credential on the system * verify that
the access or required system operation is still possible with the new secret/key/credential * revoke
authorization for the existing/old credential from the system Credit This vulnerability was found by Théo
Cusnir ( @mister_mime https://hackerone.com/mister_mime ) and responsibly disclosed through Cloudflare's
bug bounty program. (CVE-2025-13353)

See Also

https://github.com/advisories/GHSA-69jw-4jj8-fcxm

Plugin Details

Severity: High

ID: 436185

Version: Revision 1.9

Type: Local

Family: SCA Checks

Published: 12/2/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.73

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: Medium

Base Score: 4.6

Temporal Score: 3.4

Vector: CVSS2#AV:L/AC:L/Au:S/C:C/I:N/A:N

CVSS Score Source: CVE-2025-13353

CVSS v3

Risk Factor: Medium

Base Score: 5.5

Temporal Score: 4.8

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS v4

Risk Factor: High

Base Score: 7.1

Threat Score: 4

Threat Vector: CVSS:4.0/E:U

Vector: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 12/2/2025

Vulnerability Publication Date: 12/2/2025

Reference Information

CVE: CVE-2025-13353

cwe: CWE-330