Overview
A high-risk vulnerability has been discovered in the gnark framework, a widely used system for zero-knowledge proof. The vulnerability, dubbed CVE-2025-58157, could potentially lead to a denial of service, compromising systems or leading to data leakage. Given the ubiquitous use of the gnark framework, this vulnerability could potentially affect a large number of systems worldwide.
Vulnerability Summary
CVE ID: CVE-2025-58157
Severity: High – CVSS Score 7.5
Attack Vector: Network
Privileges Required: None
User Interaction: None
Impact: Potential system compromise or data leakage
Affected Products
A new way to communicate
Ameeba Chat is built on encrypted identity, not personal profiles.
Message, call, share files, and coordinate with identities kept separate.
- • Encrypted identity
- • Ameeba Chat authenticates access
- • Aliases and categories
- • End-to-end encrypted chat, calls, and files
- • Secure notes for sensitive information
Private communication, rethought.
Product | Affected Versions
gnark | 0.12.0
How the Exploit Works
The vulnerability lies in the fake-GLV algorithm used for computing scalar multiplication within the gnark framework. This algorithm fails to converge quickly enough for some inputs, potentially leading to a denial of service. An attacker could exploit this vulnerability by sending specific types of inputs that cause the algorithm to stall, leading to a denial of service.
Conceptual Example Code
While the specific details of the exploit are proprietary, a conceptual example might look something like this:
$ gnark compute --input malicious_input.txtIn the above example, `malicious_input.txt` contains specially crafted data that triggers the vulnerability in the fake-GLV algorithm, causing a denial of service.
Mitigation Guidance
Users are advised to apply the vendor patch (version 0.13.0) as soon as possible to mitigate this vulnerability. In the interim, the use of a Web Application Firewall (WAF) or Intrusion Detection System (IDS) can serve as a temporary mitigation measure.