Search

Find a vulnerability

Search criteria Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.

    1 vulnerability by 0xPolygonZero

    CVE-2025-24802 (GCVE-0-2025-24802)

    Vulnerability from cvelistv5 – Published: 2025-01-30 19:20 – Updated: 2025-01-30 19:55
    VLAI
    Title
    Soundness issue with Plonky2 look up tables
    Summary
    Plonky2 is a SNARK implementation based on techniques from PLONK and FRI. Lookup tables, whose length is not divisible by 26 = floor(num_routed_wires / 3) always include the 0 -> 0 input-output pair. Thus a malicious prover can always prove that f(0) = 0 for any lookup table f (unless its length happens to be divisible by 26). The cause of problem is that the LookupTableGate-s are padded with zeros. A workaround from the user side is to extend the table (by repeating some entries) so that its length becomes divisible by 26. This vulnerability is fixed in 1.0.1.
    Severity
    8.6 (High)
    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-1240 - Use of a Cryptographic Primitive with a Risky Implementation
    Assigner
    References
    Impacted products
    Vendor Product Version
    0xPolygonZero plonky2 Affected: = 1.0.0
    		Create a notification for this product.
    Show details on NVD website
    To clipboard 

    {
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-24802",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-01-30T19:54:59.096334Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-01-30T19:55:17.620Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "plonky2",
          "vendor": "0xPolygonZero",
          "versions": [
            {
              "status": "affected",
              "version": "= 1.0.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Plonky2 is a SNARK implementation based on techniques from PLONK and FRI. Lookup tables, whose length is not divisible by 26 = floor(num_routed_wires / 3) always include the 0 -\u003e 0 input-output pair. Thus a malicious prover can always prove that f(0) = 0 for any lookup table f (unless its length happens to be divisible by 26). The cause of problem is that the LookupTableGate-s are padded with zeros. A workaround from the user side is to extend the table (by repeating some entries) so that its length becomes divisible by 26. This vulnerability is fixed in 1.0.1."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.6,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1240",
              "description": "CWE-1240: Use of a Cryptographic Primitive with a Risky Implementation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-01-30T19:20:14.250Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/0xPolygonZero/plonky2/security/advisories/GHSA-hj49-h7fq-px5h",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/0xPolygonZero/plonky2/security/advisories/GHSA-hj49-h7fq-px5h"
        },
        {
          "name": "https://github.com/0xPolygonZero/plonky2/commit/091047f7f10cae082716f3738ad59a583835f7b6",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/0xPolygonZero/plonky2/commit/091047f7f10cae082716f3738ad59a583835f7b6"
        },
        {
          "name": "https://github.com/0xPolygonZero/plonky2/blob/main/plonky2/src/plonk/prover.rs#L97",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/0xPolygonZero/plonky2/blob/main/plonky2/src/plonk/prover.rs#L97"
        }
      ],
      "source": {
        "advisory": "GHSA-hj49-h7fq-px5h",
        "discovery": "UNKNOWN"
      },
      "title": "Soundness issue with Plonky2 look up tables"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-24802",
    "datePublished": "2025-01-30T19:20:14.250Z",
    "dateReserved": "2025-01-23T17:11:35.838Z",
    "dateUpdated": "2025-01-30T19:55:17.620Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}