N/A

CVSS Score

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-52484

CVE-2025-52484: zkVM Underconstrained Vulnerability

Due to a missing constraint in the rv32im circuit, any 3-register RISC-V instruction (including remu and divu) in risc0-zkvm 2.0.0, 2.0.1, and 2.0.2 are vulnerable to an attack by a malicious prover. The main idea for the attack is to confuse the RISC-V virtual machine into treating the value of the rs1 register as the same as the rs2 register due to a lack of constraints in the rv32im circuit.

This vulnerability was reported by Christoph Hochrainer via our Hackenproof bug bounty. We have evaluated the severity of the vulnerability as “Critical,” and paid a bounty.

The fix for the circuit was implemented in zirgen/pull/238, and the update to risc0 was implemented in risc0/pull/3181. Impacted on-chain verifiers have already been disabled via the estop mechanism outlined in the Verifier Management Design.

Mitigation

We recommend all impacted users upgrade as soon as possible.

Rust applications using the risc0-zkvm crate at versions 2.0.0, 2.0.1, and 2.0.2 should upgrade to version 2.1.0.

Smart contract applications using the official RISC Zero Verifier Router do not need to take any action: zkVM version 2.1 is active on all official routers, and version 2.0 has been disabled.

Smart contract applications not using the verifier router should update their contracts to send verification calls to the 2.1 version of the verifier.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-52484

CVE-2025-52484:

N/A

CVSS Score

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
risc0-zkvm	rust	>= 2.0.0, <= 2.0.2	2.1.0
risc0-circuit-rv32im	rust	>= 2.0.0, <= 2.0.3	2.0.4

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability exists because of a missing constraint in the rv32im circuit design, which is defined in the risc0/zirgen repository. Specifically, the circuit did not properly constrain the case where the source registers rs1 and rs2 for a 3-register instruction are the same. This allowed a malicious prover to generate a proof where the virtual machine would use the value of rs1 for the rs1 operation, but a different, unconstrained value for the rs2 operation, even though rs2 was the same register as rs1.

The fix was twofold:

Circuit Definition Fix (in risc0/zirgen): The ZIR (Zero-Knowledge Intermediate Representation) files that define the circuit logic were updated. A new component, ReadSourceRegs, was introduced in inst.zir. This component explicitly checks if rs1 and rs2 are the same. If they are, it performs only one register read. If not, it reads both. This new, constrained component was then used by the input-handling components for various instruction types (DivInput, MulInput, MiscInput, MemStoreInput), patching the logical flaw in the circuit's definition.
Emulator Fix (in risc0/risc0): The Rust and C++/CUDA emulators, which execute guest code and generate the execution trace for the prover, needed to be updated to match the new circuit logic. In the Rust code (risc0/circuit/rv32im/src/execute/rv32im.rs), the step_compute and step_store functions were identified as vulnerable. They previously fetched rs1 and rs2 in separate, unconstrained operations. The patch introduced a new load_rs2 helper function that implements the same logic as the ReadSourceRegs circuit component. By calling this function, step_compute and step_store now correctly handle the rs1 == rs2 case, preventing the vulnerability.

The identified vulnerable functions are the key points in the software emulator where this flawed logic was executed. Any 3-register instruction passing through these functions was susceptible to the attack.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

N/A

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-52484: zkVM Underconstrained Vulnerability

Mitigation

CVE-2025-52484:

N/A

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Technical Details

CVE-2025-52484: zkVM Underconstrained Vulnerability

Mitigation

N/A

N/A

Basic Information

Basic Information

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI