CVE-2025-54429 (GCVE-0-2025-54429)
Vulnerability from cvelistv5
Published
2025-07-28 20:34
Modified
2025-07-28 20:46
Severity ?
6.9 (Medium) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
CWE
  • CWE-704 - Incorrect Type Conversion or Cast
Summary
Polkadot Frontier is an Ethereum and EVM compatibility layer for Polkadot and Substrate. There are various account address types in Frontier, e.g. precompiled contracts, smart contracts, and externally owned accounts. Some EVM mechanisms should be unreachable by certain types of accounts for safety. For precompiles to be callable by smart contracts they must be explicitly configured as CallableByContract. If this configuration is absent, then the precompile should be unreachable via smart contract accounts. In commits prior to 0822030, the underlying implementation of CallableByContract which returned the AddressType was incorrect. It considered the contract address running under CREATE or CREATE2 to be AddressType::EOA rather than correctly as AddressType::Contract. The issue only affects users who use custom precompile implementations that utilize AddressType::EOA and AddressType::Contract. It's not directly exploitable in any of the predefined precompiles in Frontier. This is fixed in version 0822030.
References
security-advisories@github.comhttps://dotpal.io/assets/files/frontier-srlabs-2505-718c3bfa5df9fed1862fed05de506859.pdf
security-advisories@github.comhttps://github.com/polkadot-evm/frontier/pull/1655
security-advisories@github.comhttps://github.com/polkadot-evm/frontier/security/advisories/GHSA-fr62-ppwc-mc2h
Impacted products
Vendor Product Version
polkadot-evm frontier Version: < 0822030
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-54429",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-07-28T20:46:45.907352Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-07-28T20:46:59.149Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "frontier",
          "vendor": "polkadot-evm",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0822030"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Polkadot Frontier is an Ethereum and EVM compatibility layer for Polkadot and Substrate. There are various account address types in Frontier, e.g. precompiled contracts, smart contracts, and externally owned accounts. Some EVM mechanisms should be unreachable by certain types of accounts for safety. For precompiles to be callable by smart contracts they must be explicitly configured as CallableByContract. If this configuration is absent, then the precompile should be unreachable via smart contract accounts. In commits prior to 0822030, the underlying implementation of CallableByContract which returned the AddressType was incorrect. It considered the contract address running under CREATE or CREATE2 to be AddressType::EOA rather than correctly as AddressType::Contract. The issue only affects users who use custom precompile implementations that utilize AddressType::EOA and AddressType::Contract. It\u0027s not directly exploitable in any of the predefined precompiles in Frontier. This is fixed in version 0822030."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 6.9,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "LOW"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-704",
              "description": "CWE-704: Incorrect Type Conversion or Cast",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T20:34:56.710Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/polkadot-evm/frontier/security/advisories/GHSA-fr62-ppwc-mc2h",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/polkadot-evm/frontier/security/advisories/GHSA-fr62-ppwc-mc2h"
        },
        {
          "name": "https://github.com/polkadot-evm/frontier/pull/1655",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/polkadot-evm/frontier/pull/1655"
        },
        {
          "name": "https://dotpal.io/assets/files/frontier-srlabs-2505-718c3bfa5df9fed1862fed05de506859.pdf",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://dotpal.io/assets/files/frontier-srlabs-2505-718c3bfa5df9fed1862fed05de506859.pdf"
        }
      ],
      "source": {
        "advisory": "GHSA-fr62-ppwc-mc2h",
        "discovery": "UNKNOWN"
      },
      "title": "Polkadot Frontier\u0027s constructing smart contract can bypass precompile address bounding"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-54429",
    "datePublished": "2025-07-28T20:34:56.710Z",
    "dateReserved": "2025-07-21T23:18:10.282Z",
    "dateUpdated": "2025-07-28T20:46:59.149Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-54429\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-07-28T21:15:27.647\",\"lastModified\":\"2025-07-29T14:14:29.590\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Polkadot Frontier is an Ethereum and EVM compatibility layer for Polkadot and Substrate. There are various account address types in Frontier, e.g. precompiled contracts, smart contracts, and externally owned accounts. Some EVM mechanisms should be unreachable by certain types of accounts for safety. For precompiles to be callable by smart contracts they must be explicitly configured as CallableByContract. If this configuration is absent, then the precompile should be unreachable via smart contract accounts. In commits prior to 0822030, the underlying implementation of CallableByContract which returned the AddressType was incorrect. It considered the contract address running under CREATE or CREATE2 to be AddressType::EOA rather than correctly as AddressType::Contract. The issue only affects users who use custom precompile implementations that utilize AddressType::EOA and AddressType::Contract. It\u0027s not directly exploitable in any of the predefined precompiles in Frontier. This is fixed in version 0822030.\"},{\"lang\":\"es\",\"value\":\"Polkadot Frontier es una capa de compatibilidad con Ethereum y EVM para Polkadot y Substrate. Existen varios tipos de direcciones de cuenta en Frontier, como contratos precompilados, contratos inteligentes y cuentas externas. Por seguridad, algunos mecanismos de EVM deber\u00edan ser inaccesibles para ciertos tipos de cuentas. Para que las precompilaciones sean invocables por contratos inteligentes, deben configurarse expl\u00edcitamente como CallableByContract. Si esta configuraci\u00f3n no est\u00e1 presente, la precompilaci\u00f3n deber\u00eda ser inaccesible a trav\u00e9s de cuentas de contratos inteligentes. En commits anteriores a la 0822030, la implementaci\u00f3n subyacente de CallableByContract que devolv\u00eda el tipo de direcci\u00f3n era incorrecta. Consideraba que la direcci\u00f3n del contrato que se ejecutaba bajo CREATE o CREATE2 era AddressType::EOA en lugar de la correcta AddressType::Contract. El problema solo afecta a los usuarios que usan implementaciones de precompilaci\u00f3n personalizadas que utilizan AddressType::EOA y AddressType::Contract. No se puede explotar directamente en ninguna de las precompilaciones predefinidas de Frontier. Esto se solucion\u00f3 en la versi\u00f3n 0822030.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":6.9,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"NONE\",\"vulnIntegrityImpact\":\"LOW\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-704\"}]}],\"references\":[{\"url\":\"https://dotpal.io/assets/files/frontier-srlabs-2505-718c3bfa5df9fed1862fed05de506859.pdf\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/polkadot-evm/frontier/pull/1655\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/polkadot-evm/frontier/security/advisories/GHSA-fr62-ppwc-mc2h\",\"source\":\"security-advisories@github.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-54429\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-07-28T20:46:45.907352Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-07-28T20:46:50.346Z\"}}], \"cna\": {\"title\": \"Polkadot Frontier\u0027s constructing smart contract can bypass precompile address bounding\", \"source\": {\"advisory\": \"GHSA-fr62-ppwc-mc2h\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 6.9, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"LOW\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"polkadot-evm\", \"product\": \"frontier\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 0822030\"}]}], \"references\": [{\"url\": \"https://github.com/polkadot-evm/frontier/security/advisories/GHSA-fr62-ppwc-mc2h\", \"name\": \"https://github.com/polkadot-evm/frontier/security/advisories/GHSA-fr62-ppwc-mc2h\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/polkadot-evm/frontier/pull/1655\", \"name\": \"https://github.com/polkadot-evm/frontier/pull/1655\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://dotpal.io/assets/files/frontier-srlabs-2505-718c3bfa5df9fed1862fed05de506859.pdf\", \"name\": \"https://dotpal.io/assets/files/frontier-srlabs-2505-718c3bfa5df9fed1862fed05de506859.pdf\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Polkadot Frontier is an Ethereum and EVM compatibility layer for Polkadot and Substrate. There are various account address types in Frontier, e.g. precompiled contracts, smart contracts, and externally owned accounts. Some EVM mechanisms should be unreachable by certain types of accounts for safety. For precompiles to be callable by smart contracts they must be explicitly configured as CallableByContract. If this configuration is absent, then the precompile should be unreachable via smart contract accounts. In commits prior to 0822030, the underlying implementation of CallableByContract which returned the AddressType was incorrect. It considered the contract address running under CREATE or CREATE2 to be AddressType::EOA rather than correctly as AddressType::Contract. The issue only affects users who use custom precompile implementations that utilize AddressType::EOA and AddressType::Contract. It\u0027s not directly exploitable in any of the predefined precompiles in Frontier. This is fixed in version 0822030.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-704\", \"description\": \"CWE-704: Incorrect Type Conversion or Cast\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-07-28T20:34:56.710Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-54429\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-07-28T20:46:59.149Z\", \"dateReserved\": \"2025-07-21T23:18:10.282Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-07-28T20:34:56.710Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.