CVE-2025-57801

22.08.2025, 20:15

gnark is a zero-knowledge proof system framework. In versions prior to 0.14.0, the Verify function in eddsa.go and ecdsa.go used the S value from a signature without asserting that 0  S < order, leading to a signature malleability vulnerability. Because gnarks native EdDSA and ECDSA circuits lack essential constraints, multiple distinct witnesses can satisfy the same public inputs. In protocols where nullifiers or anti-replay checks are derived from R and S, this enables signature malleability and may allow double spending. This issue has been addressed in version 0.14.0.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	9.1 CRITICAL	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
GitHub_M	CNA	---				---
CISA-ADP	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 5%

Vendor	Product	Version
consensys	gnark	𝑥 < 0.14.0

𝑥

= Vulnerable software versions

Known Exploits!

https://github.com/Consensys/gnark/security/advisories/GHSA-95v9-hv42-pwrj

Common Weakness Enumeration

CWE-347 - Improper Verification of Cryptographic Signature
The software does not verify, or incorrectly verifies, the cryptographic signature for data.

References

https://github.com/Consensys/gnark/commit/0ba6730f05537a351517998add89a61a0d82716e

https://github.com/Consensys/gnark/security/advisories/GHSA-95v9-hv42-pwrj