CVE-2025-53359: 
Rust vulnerability analysis and mitigation

ethereum is a common ethereum structs for Rust. Prior to ethereum crate v0.18.0, signature malleability (according to EIP-2) was only checked for "legacy" transactions, but not for EIP-2930, EIP-1559 and EIP-7702 transactions. This specification deviation was discovered and disclosed on July 2, 2025. The vulnerability affects ethereum crate versions prior to v0.18.0 (GitHub Advisory).

The vulnerability stems from inconsistent signature malleability checks across different transaction types. While the checks were properly implemented for legacy transactions, they were missing for EIP-2930, EIP-1559, and EIP-7702 transactions. The TransactionSignature type was designed to maintain the invariant for EIP-2, but this wasn't properly implemented for newer transaction types. The CVSS score for this vulnerability is 6.9 (Medium) with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N (NVD).

The impact severity varies depending on the implementation context. For Ethereum mainnet usage, this is considered a high-severity issue due to the specification deviation. However, for single-implementation blockchains, the impact is considered low as signature malleability itself does not present a direct security risk (GitHub Advisory).

The issue has been patched in ethereum crate version v0.18.0. Users are recommended to upgrade to this version. As a temporary workaround, developers can manually implement transaction malleability checks outside of the crate, though upgrading is the preferred solution (GitHub Advisory).