CVE-2025-61588 Overview
CVE-2025-61588 is a critical Code Injection vulnerability affecting the RISC Zero zero-knowledge verifiable computing platform. The vulnerability exists in the sys_read system call implementation within the zkVM guest environment, where a malicious host can craft responses that enable arbitrary memory writes in the guest program. This flaw fundamentally undermines the security guarantees of zero-knowledge proof systems built on the affected RISC Zero packages.
The vulnerability is particularly severe because sys_read is the core mechanism by which guest programs request input from the host. Since all guest programs rely on this functionality, every application built with affected versions is vulnerable to exploitation. A successful attack allows arbitrary code execution within the guest environment, critically compromising the soundness guarantees that zero-knowledge proofs are designed to provide.
Critical Impact
All guest programs built with affected RISC Zero versions are vulnerable to arbitrary code execution through crafted host responses, completely compromising zero-knowledge proof soundness guarantees.
Affected Products
- risc0-zkvm-platform versions 2.0.2 and below
- risc0-aggregation versions below 0.9
- risc0-zkos-v1compat versions below 2.1.0
- risc0-zkvm versions between 3.0.0-rc.1 and 3.0.1
Discovery Timeline
- 2025-10-02 - CVE-2025-61588 published to NVD
- 2025-10-02 - Last updated in NVD database
Technical Details for CVE-2025-61588
Vulnerability Analysis
This vulnerability is classified under CWE-94 (Improper Control of Generation of Code), representing a Code Injection flaw in the RISC Zero zkVM platform. The vulnerability affects the core input/output mechanism between the host and guest environments in the zero-knowledge virtual machine architecture.
The RISC Zero platform provides a zero-knowledge verifiable computing environment based on zk-STARKs (Zero-Knowledge Scalable Transparent Arguments of Knowledge) and the RISC-V microarchitecture. In this architecture, guest programs execute within a sandboxed zkVM environment and communicate with the host through system calls. The sys_read system call is the primary interface for guest programs to receive input data from the host.
The flaw allows an attacker controlling the host to craft malicious responses to sys_read requests that write data to arbitrary memory locations within the guest environment, bypassing intended memory safety boundaries. This arbitrary write primitive can be leveraged to achieve full code execution within the guest, which has devastating implications for zero-knowledge proof systems that rely on the integrity of guest program execution.
Root Cause
The root cause lies in insufficient validation of host-provided data during the sys_read system call processing. When the guest invokes sys_read to request input, the host response handling code fails to properly validate the target memory address and bounds, allowing the host to specify write destinations outside the intended buffer. This improper input validation enables the arbitrary memory write primitive that leads to code execution.
Attack Vector
The attack requires network access to the host environment. An attacker with control over the host can exploit this vulnerability by:
- Waiting for the guest program to invoke sys_read to request input data
- Crafting a malicious response that specifies a memory location outside the intended input buffer
- Writing attacker-controlled data to an arbitrary guest memory address
- Leveraging the arbitrary write to corrupt code pointers, stack data, or other critical structures
- Achieving arbitrary code execution within the guest environment
This attack completely breaks the trust model of zero-knowledge proofs, as the proofs generated by compromised guests cannot be trusted to accurately reflect the intended computation.
The security patch introduced in GitHub Pull Request #3351 refactors the guest I/O mechanism to properly validate memory boundaries:
risc0-zkos-v1compat = { version = "2.1.0", path = "risc0/zkos/v1compat" }
risc0-zkp = { version = "3.0.2", default-features = false, path = "risc0/zkp" }
risc0-zkvm = { version = "4.0.0", default-features = false, path = "risc0/zkvm" }
-risc0-zkvm-platform = { version = "2.0.5", default-features = false, path = "risc0/zkvm/platform" }
+risc0-zkvm-platform = { version = "2.1.0", default-features = false, path = "risc0/zkvm/platform" }
rzup = { version = "0.6.0", default-features = false, path = "rzup" }
sppark = "0.1.12"
Source: GitHub Commit Update
Detection Methods for CVE-2025-61588
Indicators of Compromise
- Unexpected memory access patterns in zkVM guest execution logs
- Anomalous sys_read responses with memory addresses outside expected buffer ranges
- Zero-knowledge proofs that produce unexpected or inconsistent results
- Guest program crashes or unexpected termination during input processing
Detection Strategies
- Monitor zkVM execution environments for unusual memory write operations during sys_read calls
- Implement integrity checking on generated zero-knowledge proofs against expected computation results
- Audit host-guest communication channels for malformed or suspicious response payloads
- Use dependency scanning tools to identify vulnerable versions of risc0-zkvm-platform, risc0-aggregation, risc0-zkos-v1compat, and risc0-zkvm packages
Monitoring Recommendations
- Enable detailed logging of all host-guest I/O operations in RISC Zero deployments
- Implement alerting for guest programs that exhibit memory corruption indicators
- Monitor for proof verification failures that may indicate compromised guest execution
- Track dependency versions across development and production environments using software composition analysis tools
How to Mitigate CVE-2025-61588
Immediate Actions Required
- Upgrade risc0-zkvm-platform to version 2.1.0 or later immediately
- Update risc0-zkos-v1compat to version 2.1.0 or later
- Upgrade risc0-aggregation to version 0.9 or later
- Update risc0-zkvm to version 2.3.2, 3.0.3, or later depending on your version branch
- Rebuild all guest programs with patched dependencies
Patch Information
RISC Zero has released security patches addressing this vulnerability across multiple packages. The fixes are available in the following versions:
| Package | Fixed Version |
|---|---|
| risc0-zkvm-platform | 2.1.0 |
| risc0-zkos-v1compat | 2.1.0 |
| risc0-aggregation | 0.9 |
| risc0-zkvm | 2.3.2 and 3.0.3 |
The security fix is documented in GitHub Security Advisory GHSA-jqq4-c7wq-36h7 and implemented via commit 3f00e1fa.
Workarounds
- No effective workarounds exist for this vulnerability as sys_read is fundamental to guest program operation
- Consider temporarily suspending production use of affected zkVM deployments until patches can be applied
- Implement additional verification layers for zero-knowledge proofs generated by potentially compromised guests
- Isolate host environments to limit attacker access until patching is complete
# Update RISC Zero dependencies in Cargo.toml
# Ensure these minimum versions are specified:
cargo update -p risc0-zkvm-platform --precise 2.1.0
cargo update -p risc0-zkos-v1compat --precise 2.1.0
cargo update -p risc0-aggregation --precise 0.9
cargo update -p risc0-zkvm --precise 3.0.3
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
