GHSA-RC6V-5RMX-W5MV

GHSA-RC6V-5RMX-W5MV is a medium-severity security vulnerability in github.com/arnika-project/arnika (go), affecting versions <= 1.0.0. It is fixed in 1.0.1.

Summary

Three medium-severity issues in arnika affecting the UDP key-rotation protocol, PQC key file handling, and KMS TLS client. All require specific preconditions to exploit and do not allow direct code execution or immediate key extraction. A self-contained PoC is attached.

Details

  1. ACK timestamp not validated: udpserver.go:185
    udpClient() verifies HMAC and packet type but never checks ackPkt.Timestamp. A MITM can capture one ACK, drop all subsequent DATA packets, and replay the stale ACK indefinitely. Primary advances PSK each rotation, backup stays on key 1, tunnel breaks. No PSK knowledge needed. The server side already has this check, the client does not.
    Fix: mirror the timestamp check already present on the server side.

  2. Empty PQC key file silently accepted: repositories/pqc.go:29
    os.ReadFile follows symlinks. Empty file to base64.Decode("") = []byte{}, nil. HKDF runs on the QKD key alone while arnika logs [OK] HKDF derivation completed for QKD+PQC key. Requires write access to the directory containing PQC_PSK_FILE.
    Fix: validate decoded key is non-empty before derivation; enforce parent directory permissions in SECURITY.md.

  3. InsecureSkipVerify: true hardcoded: repositories/kms.go:61
    KMS HTTP client unconditionally sets InsecureSkipVerify: true, overriding RootCAs. CA_CERTIFICATE is loaded but never consulted (dead code). Requires MITM between arnika and the KMS endpoint, which in typical deployments are co-located.
    Fix: remove the flag; RootCAs already holds the correct pool when CA_CERTIFICATE is configured.

PoC

See arnika_exploit.tar.gz. PoC shows observable behavior for each attack; the third one (KMS MITM) needs no custom code, any HTTPS proxy with a self-signed cert is enough.

Impact

Issues require network MITM or local directory write access to exploit. No direct key extraction or code execution. Primary impact is tunnel desync and silent security downgrade in hybrid QKD+PQC mode.

GHSA-RC6V-5RMX-W5MV has a CVSS score of 2.8 (Medium). The vector is requires physical access, high privileges required, and user interaction required. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (1.0.1); upgrading removes the vulnerable code path.

Affected versions

github.com/arnika-project/arnika (<= 1.0.0)

Security releases

github.com/arnika-project/arnika → 1.0.1 (go)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Upgrade github.com/arnika-project/arnika to 1.0.1 or later to resolve this vulnerability.

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently Asked Questions

  1. What is GHSA-RC6V-5RMX-W5MV? GHSA-RC6V-5RMX-W5MV is a medium-severity security vulnerability in github.com/arnika-project/arnika (go), affecting versions <= 1.0.0. It is fixed in 1.0.1.
  2. How severe is GHSA-RC6V-5RMX-W5MV? GHSA-RC6V-5RMX-W5MV has a CVSS score of 2.8 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of github.com/arnika-project/arnika are affected by GHSA-RC6V-5RMX-W5MV? github.com/arnika-project/arnika (go) versions <= 1.0.0 is affected.
  4. Is there a fix for GHSA-RC6V-5RMX-W5MV? Yes. GHSA-RC6V-5RMX-W5MV is fixed in 1.0.1. Upgrade to this version or later.
  5. Is GHSA-RC6V-5RMX-W5MV exploitable, and should I be worried? Whether GHSA-RC6V-5RMX-W5MV is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether GHSA-RC6V-5RMX-W5MV is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix GHSA-RC6V-5RMX-W5MV? Upgrade github.com/arnika-project/arnika to 1.0.1 or later.

Other vulnerabilities in github.com/arnika-project/arnika

Stop the waste.
Protect your environment with Kodem.