Zero-Knowledge Verifiable Computing Vulnerability in RISC Zero Platform
CVE-2025-52884

1.7LOW

Key Information:

Vendor: Risc0
Status: Risc0-ethereum
Vendor: CVE Published:; 24 June 2025

What is CVE-2025-52884?

The Steel Solidity library in the RISC Zero platform, prior to versions 2.1.1 and 2.2.0, contains a flaw where the Steel.validateCommitment function incorrectly validates crafted commitments with a zero digest. This error undermines the expected semantics of the function, as it should enforce commitments corresponding to valid blocks in the chain. A zero digest indicates that the commitment does not link to any existing block, allowing theoretically incorrect operations that compromise program soundness if additional exploits or misuse of the library occur. Users of versions 2.1.0 or earlier are advised to ensure correct usage of the library by validating zkVM proofs alongside commitment checks to maintain security standards.

Affected Version(s)

risc0-ethereum < 2.1.1

References

https://github.com/risc0/risc0-ethereum/security/advisori...

x_refsource_CONFIRM

https://github.com/risc0/risc0-ethereum/pull/605

x_refsource_MISC

https://github.com/risc0/risc0-ethereum/commit/3bbac859c7...

x_refsource_MISC

CVSS V4

Score:

1.7

Severity:

LOW

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 24, 2025
Vulnerability Reserved
Jun 20, 2025

Risc0

What is CVE-2025-52884?

Affected Version(s)

References

CVSS V4

Timeline