CVE-2025-58157 – A denial of service vulnerability exists in gna... (How to Fix)

Q: What is the severity of CVE-2025-58157?

CVE-2025-58157 has a CVSS score of 7.5 (HIGH). A denial of service vulnerability exists in gnark versions 0.12.0 where the fake-GLV algorithm for scalar multiplication fails to converge quickly for certain inputs, causing excessive resource consumption. This affects systems using gnark for zero-knowledge proof computations. The vulnerability can be exploited by attackers providing malicious inputs to trigger the slow convergence.

📋 TL;DR

A denial of service vulnerability exists in gnark versions 0.12.0 where the fake-GLV algorithm for scalar multiplication fails to converge quickly for certain inputs, causing excessive resource consumption. This affects systems using gnark for zero-knowledge proof computations. The vulnerability can be exploited by attackers providing malicious inputs to trigger the slow convergence.

💻 Affected Systems

Products:

gnark
gnark-crypto

Versions: Version 0.12.0 specifically

Operating Systems: All platforms running gnark

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems using the fake-GLV algorithm for scalar multiplication. Other algorithms may not be vulnerable.

📦 What is this software?

Gnark by Consensys

View all CVEs affecting Gnark →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service unavailability due to CPU exhaustion from infinite or extremely long computation loops, potentially affecting all gnark-dependent services.

🟠

Likely Case

Degraded performance or temporary service disruption when processing specific malicious inputs, requiring service restarts.

🟢

If Mitigated

Minimal impact with proper input validation and resource limits, though some performance degradation may still occur.

🌐 Internet-Facing: MEDIUM - Exploitable if gnark processes untrusted inputs from external sources, but requires specific mathematical inputs.

🏢 Internal Only: LOW - Lower risk if only processing trusted internal data, though still possible via compromised internal systems.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires crafting specific mathematical inputs that trigger the slow convergence, which may require understanding of the algorithm's implementation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.13.0

Vendor Advisory: https://github.com/Consensys/gnark/security/advisories/GHSA-9fvj-xqr2-xwg8

Restart Required: Yes

Instructions:

1. Update gnark to version 0.13.0 or later using 'go get github.com/consensys/gnark@v0.13.0'. 2. Update gnark-crypto to latest version. 3. Rebuild and redeploy applications. 4. Restart services using gnark.

🔧 Temporary Workarounds

Input validation and sanitization

all

Implement strict input validation to reject potentially malicious inputs before processing with gnark.

Resource limiting

all

Set CPU time limits or computation timeouts for gnark operations to prevent DoS.

// Example Go code: context.WithTimeout(ctx, time.Second*10)

🧯 If You Can't Patch

Implement strict input validation and sanitization for all gnark inputs
Deploy resource limits and timeouts on gnark computation operations

🔍 How to Verify

Check if Vulnerable:

Check if gnark version is exactly 0.12.0. Review code for use of fake-GLV scalar multiplication.

Check Version:

go list -m github.com/consensys/gnark

Verify Fix Applied:

Verify gnark version is 0.13.0 or later and gnark-crypto is updated. Test with known problematic inputs.

📡 Detection & Monitoring

Log Indicators:

Excessive CPU usage by gnark processes
Long-running computation operations
Process timeouts or crashes

Network Indicators:

Unusually large or complex mathematical inputs to gnark endpoints

SIEM Query:

process.name:"gnark" AND (cpu.usage > 90% OR duration > 30s)

📊 Metadata

CVE ID: CVE-2025-58157

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-400

EPSS Score: 0.21% exploit probability (42.9th percentile)

Published: August 29, 2025

Last Updated: September 24, 2025

🔗 References

https://github.com/Consensys/gnark-crypto/commit/56600883e0e9f9b159e9c7000b94e76185ec3d0d Patch
https://github.com/Consensys/gnark/commit/68be6cede36e387ab760725beabd3c96cc94e6dc Patch
https://github.com/Consensys/gnark/issues/1483 Exploit,Issue Tracking
https://github.com/Consensys/gnark/security/advisories/GHSA-9fvj-xqr2-xwg8 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-58157, you might also want to check these: