CVE-2025-54873

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-54873

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-54873.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-54873

Aliases

GHSA-f6rc-24x4-ppxp

Published

2025-08-05T23:35:09.208Z

Modified

2026-04-02T12:59:43.121517Z

Severity

2.7 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U CVSS Calculator

Summary

RISC Zero Underconstrained Vulnerability: Division

Details

RISC Zero is a zero-knowledge verifiable general computing platform based on zk-STARKs and the RISC-V microarchitecture. RISC packages risc0-zkvm versions 2.0.0 through 2.1.0 and risc0-circuit-rv32im and risc0-circuit-rv32im-sys versions 2.0.0 through 2.0.4 contain vulnerabilities where signed integer division allows multiple outputs for certain inputs with only one being valid, and division by zero results are underconstrained. This issue is fixed in risc0-zkvm version 2.2.0 and version 3.0.0 for the risc0-circuit-rv32im and risc0-circuit-rv32im-sys packages.

Database specific

{
    "cwe_ids": [
        "CWE-369"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/54xxx/CVE-2025-54873.json",
    "cna_assigner": "GitHub_M"
}

References

Affected packages

Git / github.com/risc0/risc0

Affected ranges

Type: GIT
Repo: https://github.com/risc0/risc0
Events: Introduced

3f26f9d4c2fb8a7e5eb830ae2433c8eae67f5a38

Fixed

eff3c74bf9992401c2c68bea95eb6c93b27999ec

Affected versions

bonsai-v2.*

bonsai-v2.1.0-1

v2.*

v2.0.0

v2.0.1

v2.0.2

v2.1.0

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-54873.json"