CVE-2025-57801 HIGH

CVE-2025-57801: gnark is vulnerable to signature malleability in EdDSA and ECDSA due to missing scalar checks

Vendor Consensys
Product gnark
Weakness CWE-347
Published August 22, 2025
Last update August 22, 2025

CVSS base score

8.6/10
Attack vector Local
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N

What the vulnerability does

01Description

gnark is a zero-knowledge proof system framework. In versions prior to 0.14.0, the Verify function in eddsa.go and ecdsa.go used the S value from a signature without asserting that 0 ≤ S < order, leading to a signature malleability vulnerability. Because gnark’s native EdDSA and ECDSA circuits lack essential constraints, multiple distinct witnesses can satisfy the same public inputs. In protocols where nullifiers or anti-replay checks are derived from R and S, this enables signature malleability and may allow double spending. This issue has been addressed in version 0.14.0.

Key dates

02Disclosure timeline

August 22, 2025 CVE published
August 22, 2025 Record updated