CVE-2025-24802
📋 TL;DR
This vulnerability in Plonky2 allows a malicious prover to falsely prove that f(0)=0 for any lookup table f when the table length isn't divisible by 26, due to zero-padding in LookupTableGate implementations. This affects systems using Plonky2 for SNARK proofs where lookup table integrity is critical, potentially compromising proof validity in zero-knowledge applications.
💻 Affected Systems
- Plonky2
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of zero-knowledge proof systems using Plonky2, allowing malicious provers to generate false proofs that appear valid, undermining the cryptographic guarantees of applications like blockchain scaling solutions or privacy-preserving protocols.
Likely Case
Integrity violations in SNARK proofs where lookup tables are used, potentially allowing provers to manipulate proof outcomes in controlled ways, though requiring specific conditions about table lengths.
If Mitigated
Limited impact with proper table length validation and monitoring, though still represents a cryptographic vulnerability that should be addressed.
🎯 Exploit Status
Exploitation requires understanding of Plonky2's lookup table implementation and ability to act as a prover. The vulnerability is deterministic based on table length.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.0.1
Vendor Advisory: https://github.com/0xPolygonZero/plonky2/security/advisories/GHSA-hj49-h7fq-px5h
Restart Required: No
Instructions:
1. Update Plonky2 dependency to version 1.0.1 or later. 2. For Rust projects: Update Cargo.toml to specify 'plonky2 = "^1.0.1"'. 3. Run 'cargo update' to fetch the patched version. 4. Rebuild and redeploy applications using Plonky2.
🔧 Temporary Workarounds
Table Length Adjustment
allExtend lookup tables by repeating entries until their length becomes divisible by 26, preventing the zero-padding vulnerability.
🧯 If You Can't Patch
- Implement strict validation to ensure all lookup table lengths are divisible by 26 before processing.
- Monitor proof generation for anomalous behavior and implement additional verification layers for critical proofs.
🔍 How to Verify
Check if Vulnerable:
Check if Plonky2 version is below 1.0.1 and if the application uses lookup tables with lengths not divisible by 26.Check Version:
For Rust projects: 'cargo tree | grep plonky2' or check Cargo.lock for plonky2 version.Verify Fix Applied:
Verify Plonky2 version is 1.0.1 or higher and test that lookup tables with various lengths (including those not divisible by 26) no longer exhibit the zero-padding behavior.📡 Detection & Monitoring
Log Indicators:
- Unusual proof generation patterns
- Lookup table operations with lengths not divisible by 26
- Proof verification failures for tables that should be valid
Network Indicators:
- Increased proof submission rates from single provers
- Proofs with unexpected zero-value mappings
SIEM Query:
source="application_logs" AND ("lookup table" AND "length" NOT "divisible by 26") OR ("proof" AND "anomalous" AND "plonky2")