Summary
Three medium-severity issues in arnika affecting the UDP key-rotation protocol, PQC key file handling, and KMS TLS client. All require specific preconditions to exploit and do not allow direct code execution or immediate key extraction. A self-contained PoC is attached.
Details
ACK timestamp not validated:
udpserver.go:185udpClient()verifies HMAC and packet type but never checksackPkt.Timestamp. A MITM can capture one ACK, drop all subsequent DATA packets, and replay the stale ACK indefinitely. Primary advances PSK each rotation, backup stays on key 1, tunnel breaks. No PSK knowledge needed. The server side already has this check, the client does not.
Fix: mirror the timestamp check already present on the server side.Empty PQC key file silently accepted:
repositories/pqc.go:29os.ReadFilefollows symlinks. Empty file tobase64.Decode("") = []byte{}, nil. HKDF runs on the QKD key alone while arnika logs[OK] HKDF derivation completed for QKD+PQC key. Requires write access to the directory containingPQC_PSK_FILE.
Fix: validate decoded key is non-empty before derivation; enforce parent directory permissions inSECURITY.md.InsecureSkipVerify: truehardcoded:repositories/kms.go:61
KMS HTTP client unconditionally setsInsecureSkipVerify: true, overridingRootCAs.CA_CERTIFICATEis loaded but never consulted (dead code). Requires MITM between arnika and the KMS endpoint, which in typical deployments are co-located.
Fix: remove the flag;RootCAsalready holds the correct pool whenCA_CERTIFICATEis configured.
PoC
See arnika_exploit.tar.gz. PoC shows observable behavior for each attack; the third one (KMS MITM) needs no custom code, any HTTPS proxy with a self-signed cert is enough.
Impact
Issues require network MITM or local directory write access to exploit. No direct key extraction or code execution. Primary impact is tunnel desync and silent security downgrade in hybrid QKD+PQC mode.
GHSA-RC6V-5RMX-W5MV has a CVSS score of 2.8 (Medium). The vector is requires physical access, high privileges required, and user interaction required. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (1.0.1); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
Frequently Asked Questions
- What is GHSA-RC6V-5RMX-W5MV? GHSA-RC6V-5RMX-W5MV is a medium-severity security vulnerability in github.com/arnika-project/arnika (go), affecting versions <= 1.0.0. It is fixed in 1.0.1.
- How severe is GHSA-RC6V-5RMX-W5MV? GHSA-RC6V-5RMX-W5MV has a CVSS score of 2.8 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of github.com/arnika-project/arnika are affected by GHSA-RC6V-5RMX-W5MV? github.com/arnika-project/arnika (go) versions <= 1.0.0 is affected.
- Is there a fix for GHSA-RC6V-5RMX-W5MV? Yes. GHSA-RC6V-5RMX-W5MV is fixed in 1.0.1. Upgrade to this version or later.
- Is GHSA-RC6V-5RMX-W5MV exploitable, and should I be worried? Whether GHSA-RC6V-5RMX-W5MV is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether GHSA-RC6V-5RMX-W5MV is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix GHSA-RC6V-5RMX-W5MV? Upgrade
github.com/arnika-project/arnikato 1.0.1 or later.