CVE-2025-61588

RISC Zero is a zero-knowledge verifiable general computing platform based on zk-STARKs and the RISC-V microarchitecture. In versions 2.0.2 and below of risc0-zkvm-platform, when the zkVM guest calls sysread, the host is able to use a crafted response to write to an arbitrary memory location in th...

EUVD-2025-28438

Malicious code in bioql PyPI...

EUVD-2025-19064

Malicious code in bioql PyPI...

RISC Zero Ethereum 代码注入漏洞

RISC Zero Ethereum is a computing platform open-sourced by RISC Zero. A code injection vulnerability exists in RISC Zero Ethereum that originates from a host that can write to an arbitrary memory location of a visitor using a specially crafted response, which could lead to the execution of...

Malicious code in risc-zero-developer-website (npm)

The package risc-zero-developer-website was found to contain malicious code...

MAL-2025-32271 Malicious code in risc-zero-developer-website (npm)

The package risc-zero-developer-website was found to contain malicious code...

CVE-2025-54873

RISC Zero is a zero-knowledge verifiable general computing platform based on zk-STARKs and the RISC-V microarchitecture. RISC packages risc0-zkvm versions 2.0.0 through 2.1.0 and risc0-circuit-rv32im and risc0-circuit-rv32im-sys versions 2.0.0 through 2.0.4 contain vulnerabilities where signed...

RISC Zero Ethereum 数字错误漏洞

RISC Zero Ethereum is a computing platform open-sourced by RISC Zero. A numeric error vulnerability exists in RISC Zero Ethereum versions 2.1.0 and earlier and risc0-circuit-rv32im versions 2.0.4 and earlier, which stems from a signed integer division issue that could result in invalid output...

CVE-2025-54873 RISC Zero Underconstrained Vulnerability: Division

RISC Zero is a zero-knowledge verifiable general computing platform based on zk-STARKs and the RISC-V microarchitecture. RISC packages risc0-zkvm versions 2.0.0 through 2.1.0 and risc0-circuit-rv32im and risc0-circuit-rv32im-sys versions 2.0.0 through 2.0.4 contain vulnerabilities where signed...

CVE-2025-54873 RISC Zero Underconstrained Vulnerability: Division

RISC Zero is a zero-knowledge verifiable general computing platform based on zk-STARKs and the RISC-V microarchitecture. RISC packages risc0-zkvm versions 2.0.0 through 2.1.0 and risc0-circuit-rv32im and risc0-circuit-rv32im-sys versions 2.0.0 through 2.0.4 contain vulnerabilities where signed...

CVE-2025-54873 RISC Zero Underconstrained Vulnerability: Division

RISC Zero is a zero-knowledge verifiable general computing platform based on zk-STARKs and the RISC-V microarchitecture. RISC packages risc0-zkvm versions 2.0.0 through 2.1.0 and risc0-circuit-rv32im and risc0-circuit-rv32im-sys versions 2.0.0 through 2.0.4 contain vulnerabilities where signed...

CVE-2025-54873

Summary (CVE-2025-54873) : RISC Zero’s zkVM platform and related circuit packages contain a bug in signed integer division that can produce multiple outputs for some inputs (only one valid) and causes division-by-zero results to be underconstrained. Affected versions are: risc0-zkvm 2.0.0–2.1.0; ...

GHSA-F6RC-24X4-PPXP RISC Zero Underconstrained Vulnerability: Division

Two issues were found: For some inputs to signed integer division, the circuit allowed two outputs, only one of which was valid. Additionally, the result of division by zero was underconstrained. This vulnerability was identified using the Picus tool from Veridise. Impacted on-chain verifiers hav...

RISC Zero Underconstrained Vulnerability: Division

Two issues were found: For some inputs to signed integer division, the circuit allowed two outputs, only one of which was valid. Additionally, the result of division by zero was underconstrained. This vulnerability was identified using the Picus tool from Veridise. Impacted on-chain verifiers hav...

PT-2025-32005 · Risc Zero · Risc0-Zkvm +2

Name of the Vulnerable Software and Affected Versions: risc0-zkvm versions 2.0.0 through 2.1.0 risc0-circuit-rv32im versions 2.0.0 through 2.0.4 risc0-circuit-rv32im-sys versions 2.0.0 through 2.0.4 Description: RISC Zero is a zero-knowledge verifiable general computing platform based on zk-STARK...

CVE-2025-52884

RISC Zero is a zero-knowledge verifiable general computing platform, with Ethereum integration. The risc0-ethereum repository contains Solidity verifier contracts, Steel EVM view call library, and supporting code. Prior to versions 2.1.1 and 2.2.0, the Steel.validateCommitment Solidity library...

RISC Zero Ethereum invalid commitment with digest value of zero accepted by Steel.validateCommitment

Impact Prior to 2.1.1 and 2.2.0, the Steel.validateCommitment Solidity library function will return true for a crafted commitment with a digest value of zero. This violates the semantics of validateCommitment, as this does not commitment to a block that is in the current chain. Because the digest...

CVE-2025-52884

RISC Zero is a zero-knowledge verifiable general computing platform, with Ethereum integration. The risc0-ethereum repository contains Solidity verifier contracts, Steel EVM view call library, and supporting code. Prior to versions 2.1.1 and 2.2.0, the Steel.validateCommitment Solidity library...

CVE-2025-52884 risc0-ethereum-contracts allows invalid commitment with digest value of zero to be accepted by Steel.validateCommitment

RISC Zero is a zero-knowledge verifiable general computing platform, with Ethereum integration. The risc0-ethereum repository contains Solidity verifier contracts, Steel EVM view call library, and supporting code. Prior to versions 2.1.1 and 2.2.0, the Steel.validateCommitment Solidity library...

CVE-2025-52884

CVE-2025-52884 (RISC Zero Ethereum) affects the risc0-ethereum project where the Solidity library function Steel.validateCommitment incorrectly returns true for a crafted commitment with a digest value of zero prior to versions 2.1.1 and 2.2.0. This violates the semantics of validateCommitment, a...