CVE-2025-57801

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-57801
gnark is a zero-knowledge proof system framework. In versions prior to 0.14.0, the Verify function in eddsa.go and ecdsa.go used the S value from a signature without asserting that 0 ≤ S < order, leading to a signature malleability vulnerability. Because gnark’s native EdDSA and ECDSA circuits lack essential constraints, multiple distinct witnesses can satisfy the same public inputs. In protocols where nullifiers or anti-replay checks are derived from R and S, this enables signature malleability and may allow double spending. This issue has been addressed in version 0.14.0.

9.1 /10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://github.com/Consensys/gnark/commit/0ba6730f05537a351517998add89a61a0d82716e Patch
https://github.com/Consensys/gnark/security/advisories/GHSA-95v9-hv42-pwrj Exploit Vendor Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:consensys:gnark:*:*:*:*:*:*:*:*
History

12 Sep 2025, 19:05

Type Values Removed Values Added
CPE cpe:2.3:a:consensys:gnark:*:*:*:*:*:*:*:*
References () https://github.com/Consensys/gnark/commit/0ba6730f05537a351517998add89a61a0d82716e - () https://github.com/Consensys/gnark/commit/0ba6730f05537a351517998add89a61a0d82716e - Patch
References () https://github.com/Consensys/gnark/security/advisories/GHSA-95v9-hv42-pwrj - () https://github.com/Consensys/gnark/security/advisories/GHSA-95v9-hv42-pwrj - Exploit, Vendor Advisory
First Time Consensys gnark
Consensys
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 9.1

25 Aug 2025, 20:24

Type Values Removed Values Added
Summary
  • (es) gnark es un framework de sistemas a prueba de conocimiento cero. En versiones anteriores a la 0.14.0, la función Verificar de eddsa.go y ecdsa.go utilizaba el valor S de una firma sin afirmar que 0 ? S &lt; orden, lo que generaba una vulnerabilidad de maleabilidad de firma. Dado que los circuitos EdDSA y ECDSA nativos de Gnark carecen de restricciones esenciales, varios testigos distintos pueden satisfacer las mismas entradas públicas. En protocolos donde los anuladores o las comprobaciones antirrepetición se derivan de R y S, esto permite la maleabilidad de firma y puede permitir el doble gasto. Este problema se ha solucionado en la versión 0.14.0.

22 Aug 2025, 20:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-08-22 20:15

Updated : 2025-09-12 19:05

NVD link : CVE-2025-57801

Mitre link : CVE-2025-57801

CVE.ORG link : CVE-2025-57801

JSON object : View

Products Affected

consensys

  • gnark
CWE
CWE-347

Improper Verification of Cryptographic Signature