CVE-2025-58359 is a low severity vulnerability with a CVSS score of 0.0. No known exploits currently, and patches are available.
Very low probability of exploitation
EPSS predicts the probability of exploitation in the next 30 days based on real-world threat data, complementing CVSS severity scores with actual risk assessment.
It was not clear that it is not possible to change min_signers (i.e. the threshold) with the refresh share functionality (frost_core::keys::refresh module). Using a smaller value would not decrease the threshold, and attempts to sign using a smaller threshold would fail. Additionally, after refreshing the shares with a smaller threshold, it would still be possible to sign with the original threshold; however, this could cause a security loss to the participant's shares. We have not determined the exact security implications of doing so and judged simpler to just validate min_signers.
If for some reason you have done a refresh share procedure with a smaller min_signers we strongly recommend migrating to a new key.
Updating to 2.2.0 will ensure that the min_signers parameter will be validated. However it won't restore the security of groups refreshed with a smaller min_signers parameters.
You don't need to update if you don't use the refresh share functionality, or if you didn't try to change the min_signers parameter using the refresh share functionality.
Thank you BlockSec for reporting the finding
Please cite this page when referencing data from Strobes VI. Proper attribution helps support our vulnerability intelligence research.