CVE-2025-24802

CVE-2025-24802 is a vulnerability in Plonky2, a SNARK implementation based on PLONK and FRI techniques. The issue affects lookup tables whose length is not divisible by 26 (floor(num_routed_wires / 3)), as they always include an extraneous 0 -> 0 input-output pair due to zero-padding of LookupTableGates. This allows incorrect proofs for lookup table functions f where a malicious prover can demonstrate f(0) = 0, unless the table length is already divisible by 26. The vulnerability, classified under CWE-1240 with a CVSS score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N), impacts Plonky2 versions prior to 1.0.1.

A remote attacker with no privileges can exploit this as a malicious prover in a Plonky2 verification scenario. By generating crafted proofs for affected lookup tables, the attacker achieves high-integrity impact, enabling the verification of false statements such as f(0) = 0 for arbitrary functions f. This undermines the soundness of zero-knowledge proofs, potentially allowing invalid computations to pass verification in applications relying on Plonky2 for succinct proofs.

Mitigation is available via a user-side workaround: extend lookup tables by repeating entries to make their length divisible by 26. The vulnerability was fixed in Plonky2 version 1.0.1, as detailed in the project's GitHub security advisory (GHSA-hj49-h7fq-px5h), the fixing commit (091047f7f10cae082716f3738ad59a583835f7b6), and related code in prover.rs. Security practitioners using Plonky2 should upgrade immediately and audit lookup table configurations.