CVE-2025-58157 Overview
CVE-2025-58157 affects gnark, a zero-knowledge proof system framework developed by Consensys. The vulnerability exists in version 0.12.0 and stems from a non-convergent scalar multiplication routine that uses the fake-GLV algorithm. For certain inputs, the algorithm fails to converge quickly enough, resulting in a denial of service condition. The issue is tracked as [CWE-400] (Uncontrolled Resource Consumption) and is patched in version 0.13.0.
Critical Impact
Remote attackers can submit crafted inputs that cause scalar multiplication operations to consume excessive resources, disrupting availability of cryptographic services that depend on gnark.
Affected Products
- Consensys gnark version 0.12.0
- Applications embedding gnark for zero-knowledge proof generation or verification
- Downstream components relying on gnark-crypto scalar multiplication primitives
Discovery Timeline
- 2025-08-29 - CVE-2025-58157 published to the National Vulnerability Database
- 2025-09-24 - Last updated in NVD database
Technical Details for CVE-2025-58157
Vulnerability Analysis
The vulnerability resides in gnark's implementation of elliptic curve scalar multiplication using the fake-GLV (Gallant-Lambert-Vanstone) algorithm. Scalar multiplication is a foundational operation in zero-knowledge proof systems, executed for every proof generation and verification routine. The fake-GLV optimization accelerates this operation by decomposing scalars into smaller components using lattice reduction techniques.
In version 0.12.0, the decomposition routine does not converge predictably for specific scalar inputs. Instead of terminating in the expected number of iterations, the routine continues iterating, consuming CPU resources without producing a result. An attacker who can supply scalar inputs to a service that invokes the affected routine can trigger sustained CPU exhaustion. The flaw is classified under [CWE-400].
Root Cause
The root cause is an algorithmic correctness defect in the fake-GLV scalar decomposition logic. The convergence condition assumed by the implementation does not hold for all inputs in the scalar field. When edge case inputs are processed, the iterative reduction step fails to reach its terminating bound within an acceptable iteration count.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. Any service that accepts attacker-controlled scalars and forwards them to gnark's scalar multiplication API is exposed. This includes proof verifiers, rollup sequencers, and cryptographic services exposing public endpoints.
No public proof-of-concept exploit is currently published. Technical details of the convergence failure are discussed in the upstream issue tracker. See the GitHub Security Advisory GHSA-9fvj-xqr2-xwg8 and the upstream issue discussion for additional context.
Detection Methods for CVE-2025-58157
Indicators of Compromise
- Sustained single-core CPU saturation in processes linking against gnark or gnark-crypto 0.12.0
- Proof verification or generation requests that fail to return within expected latency budgets
- Repeated requests from the same source supplying anomalous scalar values to ZK proof endpoints
Detection Strategies
- Inventory all Go modules and binaries that import github.com/consensys/gnark or github.com/consensys/gnark-crypto and flag versions matching 0.12.0.
- Instrument scalar multiplication call sites with execution time metrics and alert on operations exceeding baseline duration thresholds.
- Monitor application logs for goroutine stalls or request timeouts originating from cryptographic processing paths.
Monitoring Recommendations
- Track per-request CPU time on services exposing zero-knowledge proof APIs and alert on outliers.
- Correlate high-CPU events with inbound request payloads to identify malicious scalar inputs.
- Apply rate limiting and request size enforcement to public proof submission endpoints.
How to Mitigate CVE-2025-58157
Immediate Actions Required
- Upgrade gnark to version 0.13.0 or later across all production and development environments.
- Rebuild and redeploy any binary that statically links against the affected gnark or gnark-crypto packages.
- Audit upstream dependency graphs to identify transitive consumers of gnark 0.12.0.
Patch Information
The fix is delivered in gnark 0.13.0. Upstream commits resolving the convergence behavior are available at the gnark patch commit 68be6ce and the corresponding gnark-crypto patch commit 5660088. Full advisory details are published in GHSA-9fvj-xqr2-xwg8.
Workarounds
- Enforce strict input validation on scalar values accepted by public endpoints to reject malformed or out-of-range inputs.
- Apply per-request execution time limits and CPU quotas to sandbox cryptographic operations.
- Deploy reverse-proxy rate limiting to constrain the frequency of proof verification requests from individual clients.
# Upgrade gnark to the patched release
go get github.com/consensys/gnark@v0.13.0
go mod tidy
go build ./...
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
