CVE-2025-58359: 
Rust vulnerability analysis and mitigation

A security vulnerability (CVE-2025-58359) was identified in the frost-core Rust package affecting versions 2.0.0 to 2.2.0. The vulnerability relates to improper validation of the min_signers parameter in the refresh share functionality, which could potentially lead to security implications for participant shares. The issue was discovered by BlockSec and was patched in version 2.2.0 released on September 3, 2025 (GitHub Advisory).

The vulnerability exists in the frostcore::keys::refresh module where the minsigners parameter (threshold) validation was not properly implemented. When refreshing shares with a smaller threshold, while signing attempts with the smaller threshold would fail, it remained possible to sign with the original threshold. This could potentially compromise the security of participant shares. The issue has been classified as CWE-269 (Improper Privilege Management) with a Moderate severity rating (GitHub Advisory).

The vulnerability could cause a security loss to participant shares when attempting to refresh shares with a smaller min_signers parameter than the original threshold. The exact security implications were not fully determined, but the potential impact was significant enough to warrant immediate patching (GitHub Advisory).

Users should update to frost-core version 2.2.0 or later, which includes validation for the minsigners parameter. For systems that have already performed refresh share procedures with a smaller minsigners parameter, migration to a new key is strongly recommended. Users who don't use the refresh share functionality or haven't attempted to change the min_signers parameter are not affected (GitHub Release).