Layer-Two Scalability Solution Vulnerability in Cardano's Hydra
CVE-2025-48886

4.8MEDIUM

Key Information:

Vendor

Cardano-scaling

Status
Hydra
Vendor
CVE Published:
19 June 2025

What is CVE-2025-48886?

Hydra, a layer-two scalability solution for Cardano, suffers from a vulnerability where it incorrectly assumes layer-one (L1) event finality. Specifically, it does not account for failed transactions on Cardano L1, which can expose the system to re-org attacks. Prior to version 0.22.0, nodes treated certain transactions as finalized upon recognition, leading to potential exploitation of the transaction flow. This issue has been addressed in version 0.22.0 through essential updates that enhance the integrity of state progression and transaction validation.

Affected Version(s)

hydra < 0.22.0

References

https://github.com/cardano-scaling/hydra/security/advisor...
x_refsource_CONFIRM
https://github.com/cardano-scaling/hydra/commit/2bc6a82ef...
x_refsource_MISC
https://github.com/cardano-scaling/hydra/commit/fb22d9689...
x_refsource_MISC

CVSS V3.1

Score:
4.8
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2025-48886 : Layer-Two Scalability Solution Vulnerability in Cardano's Hydra