Full Report
Two popular AES libraries, aes-js and pyaes, provide a default IV in their AES-CTR API. Although this was seen as helpful from the API standpoint, it actually creates a terrible vulnerability. Why is reusing a key/IV pair so bad? If you encrypt two messages in CTR mode that use the same nonce, you can recover the plaintext by XORing the ciphertexts. Being able to recover ciphertexts is fairly catastrophic. Pyaes's default example does this even. So, this is likely all over the place. strongMan is a VPN tool in the strongSwan VPN suite. It allows credential and user management, as well as creating VPN connections. It uses an encrypted SQLite database protected by AES in CTR mode, along with the aforementioned library. This allowed for the leaking of X.509 certificates and private key information from the database. The developer immediately fixed the issue and complained to the library developer to fix this footgun. The article names and shames the developers of the open source library. They praise the strongMan developers for immediately remediating the issue. I'm unsure how I feel about this. On the one hand, it's open-source software that is probably maintained by one person... so, if name-and-shame, maybe they stop, which is worse than having a security issue. On the other hand, we need to make sure this footgun gets fixed. Regardless, good technical article and bug discovery.
Analysis Summary
# Vulnerability: Cryptographic Failure via Default IV in aes-js and pyaes
## CVE Details
- **CVE ID**: CVE-2024-45388 (aes-js), CVE-2024-45387 (pyaes), GHSA-88w4-jv97-c8xr (strongMan)
- **CVSS Score**: 7.5 (High) - *Estimated based on cryptographic failure impact*
- **CWE**: CWE-329: Generation of Predictable IV with CBC Mode (Applied to CTR) / CWE-323: Reusing a Nonce, Key Pair in Counter Mode Encryption
## Affected Systems
- **Products**:
- `aes-js` (JavaScript library)
- `pyaes` (Python library)
- `strongMan` (strongSwan VPN credential management tool)
- **Versions**:
- `aes-js`: All versions including 3.1.2
- `pyaes`: All versions including 1.6.1
- `strongMan`: Versions prior to the fix on September 13, 2024
- **Configurations**: Use of AES-CTR mode without explicitly providing a unique Initialization Vector (IV).
## Vulnerability Description
The `aes-js` and `pyaes` libraries provide a "helpful" default IV (`0x00000000_00000000_00000000_00000001`) if the user does not supply one when instantiating AES in Counter (CTR) mode.
In CTR mode, using the same Key/IV pair more than once is catastrophic. Because CTR mode turns a block cipher into a stream cipher via XORing plaintext with a keystream, reusing the same keystream allows an attacker to XOR two ciphertexts together to eliminate the keystream and recover the XOR of the two plaintexts. If any part of the plaintext is known, the rest of the secrets sharing that "mask" can be recovered.
## Exploitation
- **Status**: PoC demonstrated by Trail of Bits; inherent in library design and examples.
- **Complexity**: Low (The vulnerability is triggered by following the library's official documentation).
- **Attack Vector**: Local/Network (Depends on how the application stores or transmits ciphertexts).
## Impact
- **Confidentiality**: High (Full recovery of plaintexts, including X.509 certificates and private keys in the case of strongMan).
- **Integrity**: High (CTR mode lacks authentication; ciphertexts are malleable, allowing attackers to modify data without detection).
- **Availability**: Low (Primary impact is data exposure).
## Remediation
### Patches
- **strongMan**: Updated to replace `pyaes` with modern libraries and migrated from CTR to AES-GCM-SIV.
- **aes-js / pyaes**: As of the report, the maintainer has not implemented a breaking change to remove the default IV "footgun." Users are advised to switch libraries or manually ensure unique IVs.
### Workarounds
- **Mandatory IV Specification**: Never call `AESModeOfOperationCTR` without passing a cryptographically secure random IV.
- **Migration**: Move to authenticated encryption (AEAD) modes like AES-GCM or AES-GCM-SIV using standard libraries like `cryptography` (Python) or the Web Crypto API (JS).
## Detection
- **Indicators of Compromise**: Repeated ciphertext headers or identical ciphertexts across different data entries if the plaintext is stable.
- **Detection Methods**: Static Analysis (SAST) to identify calls to `AESModeOfOperationCTR` with only one argument. Auditing database blobs for reused keystreams by XORing multiple entries.
## References
- Trail of Bits Advisory: hxxps://blog[.]trailofbits[.]com/2026/02/18/carelessness-versus-craftsmanship-in-cryptography/
- strongMan Security Advisory: hxxps://github[.]com/strongswan/strongMan/security/advisories/GHSA-88w4-jv97-c8xr
- Cryptographic Background: hxxps://blog[.]trailofbits[.]com/2024/09/13/friends-dont-let-friends-reuse-nonces/