CVE-2023-44378

gnark vulnerable to unsoundness in variable comparison/non-unique binary decomposition

Description

gnark is a zk-SNARK library that offers a high-level API to design circuits. Prior to version 0.9.0, for some in-circuit values, it is possible to construct two valid decomposition to bits. In addition to the canonical decomposition of `a`, for small values there exists a second decomposition for `a+r` (where `r` is the modulus the values are being reduced by). The second decomposition was possible due to overflowing the field where the values are defined. Upgrading to version 0.9.0 should fix the issue without needing to change the calls to value comparison methods.

Category

7.1
CVSS
Severity: High
CVSS 3.1 •
EPSS 0.03%
Third-Party Advisory github.com
Affected: Consensys gnark
Published at:
Updated at:

References

Link Tags
https://github.com/Consensys/gnark/security/advisories/GHSA-498w-5j49-vqjg patch mitigation third party advisory
https://github.com/zkopru-network/zkopru/issues/116 not applicable
https://github.com/Consensys/gnark/commit/59a4087261a6c73f13e80d695c17b398c3d0934f patch

Frequently Asked Questions

What is the severity of CVE-2023-44378?
CVE-2023-44378 has been scored as a high severity vulnerability.
How to fix CVE-2023-44378?
To fix CVE-2023-44378, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2023-44378 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2023-44378 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2023-44378?
CVE-2023-44378 affects Consensys gnark.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.