RNP version 0.18.1 released

Nickolay Olshevsky Ronald Tse on 20 Nov 2025

The RNP 0.18.1 release is a critical security update that addresses CVE-2025-13470, a high-severity vulnerability in session key generation for public key encryption introduced in version 0.18.0.

All users of RNP 0.18.0 should upgrade immediately to version 0.18.1.

Security vulnerability: CVE-2025-13470

Summary

RNP version 0.18.0 contains a critical vulnerability in session key generation for PKESK (Public Key Encrypted Session Key) packets. Session keys were generated without cryptographically random values.

• CVE: CVE-2025-13470

• Severity: High (CVSS 7.5)

• Affected Version: 0.18.0 ONLY

• Fixed Version: 0.18.1

Technical details

During refactoring work in version 0.18.0, the session key initialization for SKESK (passphrase-based encryption) was correctly updated. However, the corresponding initialization for PKESK (public key encryption) was not implemented, resulting in vulnerable session keys.

The vulnerability affects only public key encryption (PKESK packets). Passphrase-based encryption (SKESK packets) is not affected.

Root cause: Vulnerable session key buffer used in PKESK packet generation.

• CWE: CWE-330: Use of Insufficiently Random Values

• CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (Base Score: 7.5)

Impact

Messages encrypted with RNP 0.18.0 using public key encryption use vulnerable session key values. This is a confidentiality issue for PKESK-encrypted data.

Encryption types affected:

• Public key encryption (PKESK) - AFFECTED

• Passphrase-based encryption (SKESK) - NOT AFFECTED

Affected and unaffected versions

AFFECTED:

• RNP 0.18.0 ONLY

NOT AFFECTED:

• RNP 0.17.1 and all earlier versions

• RNP 0.18.1 and later versions

Timeline

• 2025-06-19: RNP 0.18.0 released (vulnerability introduced)

• 2025-11-07: Vulnerability discovered and reported by Johannes Roth (MTG AG)

• 2025-11-19: CVE-2025-13402 assigned by Red Hat

• 2025-11-20: CVE-2025-13470 assigned by Ribose/MITRE

• 2025-11-20: Fix developed and tested

• 2025-11-21: RNP 0.18.1 released with fix

• 2025-11-21: Public disclosure (same day as release)

Affected distributions

Version 0.18.0 was released on 2025-06-19 and has been packaged by numerous distributions:

• Debian 14, unstable

• Devuan unstable

• EPEL 8, 9, 10

• Exherbo

• Fedora 41, 42, 43, Rawhide

• FreeBSD Ports

• Homebrew

• Kali Linux Rolling

• nixpkgs unstable

• OpenBSD Ports

• openmamba

• openSUSE Tumbleweed

RNP 0.17.1 and earlier versions are NOT affected by this vulnerability.

Thunderbird status

Thunderbird’s affected status depends on distribution packaging:

UPSTREAM THUNDERBIRD (NOT AFFECTED):

Upstream Thunderbird binaries bundle RNP version 0.17.1, which is not affected.

DISTRIBUTION-PACKAGED THUNDERBIRD (VARIES):

Some distributions build Thunderbird to use system-installed RNP libraries instead of the bundled version. Thunderbird’s affected status depends on:

1. Whether the distribution builds Thunderbird with system RNP or bundled RNP

2. If using system RNP, which version of RNP is installed

Known configurations:

• Gentoo: Uses system RNP (via +system-librnp USE flag). If system RNP is version 0.18.0, Thunderbird IS AFFECTED.

• Most other distributions: Use bundled RNP 0.17.1, NOT AFFECTED.

Distributions should verify their Thunderbird packaging:

• Check if Thunderbird is built with --enable-system-rnp or similar flags

• Check if Thunderbird package has a dependency on system RNP libraries

• If Thunderbird uses system RNP 0.18.0, it is AFFECTED

Mitigation and recommendations

For standalone RNP users

Upgrade to RNP 0.18.1 immediately.

For distributions that have packaged 0.18.0

Please update to 0.18.1 when released, or consider providing 0.17.1 as an interim option.

For Thunderbird packages using system RNP

If your Thunderbird package is built with system RNP support and RNP 0.18.0 is installed, update RNP to 0.18.1 or 0.17.1. Consider whether Thunderbird should continue using system RNP or switch to bundled RNP.

For users

Users who encrypted sensitive data using RNP 0.18.0 (standalone or via Thunderbird with system RNP 0.18.0) should re-encrypt that data with RNP 0.18.1 or 0.17.1 based on their security requirements.

Additional improvements

In addition to the critical security fix, this release includes:

Botan 3.7.0 compatibility

Full compatibility with Botan 3.7.0 has been ensured, addressing API changes introduced in the latest Botan release.

Bug fixes

Various bug fixes and minor improvements enhance RNP’s stability and reliability.

Credits

The vulnerability was discovered and reported by Johannes Roth of MTG AG.

We thank Johannes for the responsible disclosure and coordination.

References

• CVE: CVE-2025-13470

• Red Hat CVE: https://access.redhat.com/security/cve/cve-2025-13402

• Red Hat Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2415863

• Red Hat CSAF: https://security.access.redhat.com/data/csaf/v2/vex/2025/cve-2025-13402.json

• Ribose CNA Advisory: https://open.ribose.com/advisories/ra-2025-11-20/

• Release 0.18.1: https://github.com/rnpgp/rnp/releases/tag/v0.18.1

Contact

For security-related questions or coordination: open.source@ribose.com

For detailed technical information and the complete list of changes, please visit the release page.