CVE-2025-0343

High

Published: 15 January 2025

Published

15 January 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Score 0.0022 43.8th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

Swift ASN.1 can be caused to crash when parsing certain BER/DER constructions. This crash is caused by a confusion in the ASN.1 library itself which assumes that certain objects can only be provided in either constructed or primitive forms, and will trigger a preconditionFailure if that constraint isn't met. Importantly, these constraints are actually required to be true in DER, but that correctness wasn't enforced on the early node parser side so it was incorrect to rely on it later on in decoding, which is what the library did. These crashes can be triggered when parsing any DER/BER format object. There is no memory-safety issue here: the crash is a graceful one from the Swift runtime. The impact of this is that it can be used as a denial-of-service vector when parsing BER/DER data from unknown sources, e.g. when parsing TLS certificates.

Security Summary

CVE-2025-0343 is a vulnerability in Apple's Swift ASN.1 library that causes a crash during parsing of certain BER/DER constructions. The issue arises from a confusion within the ASN.1 library, which assumes specific objects are provided only in either constructed or primitive forms and triggers a preconditionFailure if this constraint is violated. While these constraints are required in DER, the early node parser did not enforce them, leading to incorrect reliance during later decoding stages. The crash is graceful, triggered by the Swift runtime with no memory-safety issues involved.

Any network-accessible attacker can exploit this vulnerability with low complexity and no privileges required, as reflected in its CVSS v3.1 score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). Exploitation occurs by supplying malformed BER/DER data from untrusted sources, such as TLS certificates, causing the parser to crash and resulting in a denial-of-service condition against applications using the library.

The primary advisory is available at https://github.com/apple/swift-asn1/security/advisories/GHSA-w8xv-rwgf-4fwh, which details the vulnerability in the swift-asn1 repository. It is associated with CWE-228 (Implementation). The vulnerability was published on 2025-01-15.

Details

CWE(s): CWE-228

References

https://github.com/apple/swift-asn1/security/advisories/GHSA-w8xv-rwgf-4fwh
cve@forums.swift.org