CVE-2025-54873

RISC Zero Underconstrained Vulnerability: Division

Description

RISC Zero is a zero-knowledge verifiable general computing platform based on zk-STARKs and the RISC-V microarchitecture. RISC packages risc0-zkvm versions 2.0.0 through 2.1.0 and risc0-circuit-rv32im and risc0-circuit-rv32im-sys versions 2.0.0 through 2.0.4 contain vulnerabilities where signed integer division allows multiple outputs for certain inputs with only one being valid, and division by zero results are underconstrained. This issue is fixed in risc0-zkvm version 2.2.0 and version 3.0.0 for the risc0-circuit-rv32im and risc0-circuit-rv32im-sys packages.

References

Link	Tags
https://github.com/risc0/risc0/security/advisories/GHSA-f6rc-24x4-ppxp
https://github.com/risc0/risc0/pull/3235
https://github.com/risc0/zirgen/pull/249

Frequently Asked Questions

What is the severity of CVE-2025-54873?: CVE-2025-54873 has been scored as a low severity vulnerability.
How to fix CVE-2025-54873?: To fix CVE-2025-54873, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2025-54873 being actively exploited in the wild?: As for now, there are no information to confirm that CVE-2025-54873 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2025-54873?: CVE-2025-54873 affects risc0 risc0.

This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.

Description

Category

CWE-369 – Divide By Zero

References

Frequently Asked Questions