CVE-2025-24802
Published: 30 January 2025
Summary
CVE-2025-24802 is a high-severity Use of a Cryptographic Primitive with a Risky Implementation (CWE-1240) vulnerability. Its CVSS base score is 8.6 (High).
Operationally, ranked at the 30.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-6 (Configuration Settings).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates timely remediation of the Plonky2 lookup table padding flaw by patching to version 1.0.1, preventing malicious proofs from passing verification.
Enforces secure configuration settings for lookup tables by requiring lengths divisible by 26, implementing the user-side workaround to block exploitation.
Requires vulnerability scanning to identify CVE-2025-24802 in Plonky2 dependencies, enabling proactive patching or workaround application.
MITRE ATT&CK Enterprise TechniquesAI
Insufficient information to map techniques.NVD Description
Plonky2 is a SNARK implementation based on techniques from PLONK and FRI. Lookup tables, whose length is not divisible by 26 = floor(num_routed_wires / 3) always include the 0 -> 0 input-output pair. Thus a malicious prover can always prove…
more
that f(0) = 0 for any lookup table f (unless its length happens to be divisible by 26). The cause of problem is that the LookupTableGate-s are padded with zeros. A workaround from the user side is to extend the table (by repeating some entries) so that its length becomes divisible by 26. This vulnerability is fixed in 1.0.1.
Deeper analysisAI
CVE-2025-24802 is a vulnerability in Plonky2, a SNARK implementation based on PLONK and FRI techniques. The issue affects lookup tables whose length is not divisible by 26 (floor(num_routed_wires / 3)), as they always include an extraneous 0 -> 0 input-output pair due to zero-padding of LookupTableGates. This allows incorrect proofs for lookup table functions f where a malicious prover can demonstrate f(0) = 0, unless the table length is already divisible by 26. The vulnerability, classified under CWE-1240 with a CVSS score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N), impacts Plonky2 versions prior to 1.0.1.
A remote attacker with no privileges can exploit this as a malicious prover in a Plonky2 verification scenario. By generating crafted proofs for affected lookup tables, the attacker achieves high-integrity impact, enabling the verification of false statements such as f(0) = 0 for arbitrary functions f. This undermines the soundness of zero-knowledge proofs, potentially allowing invalid computations to pass verification in applications relying on Plonky2 for succinct proofs.
Mitigation is available via a user-side workaround: extend lookup tables by repeating entries to make their length divisible by 26. The vulnerability was fixed in Plonky2 version 1.0.1, as detailed in the project's GitHub security advisory (GHSA-hj49-h7fq-px5h), the fixing commit (091047f7f10cae082716f3738ad59a583835f7b6), and related code in prover.rs. Security practitioners using Plonky2 should upgrade immediately and audit lookup table configurations.
Details
- CWE(s)