CVE-2025-54873: RISC Zero Underconstrained Vulnerability: Division

August 5, 2025 (updated August 6, 2025)

Two issues were found: For some inputs to signed integer division, the circuit allowed two outputs, only one of which was valid. Additionally, the result of division by zero was underconstrained.

This vulnerability was identified using the Picus tool from Veridise.

References

github.com/advisories/GHSA-f6rc-24x4-ppxp
github.com/risc0/risc0
github.com/risc0/risc0/pull/3235
github.com/risc0/risc0/security/advisories/GHSA-f6rc-24x4-ppxp
github.com/risc0/zirgen/pull/249
nvd.nist.gov/vuln/detail/CVE-2025-54873

Code Behaviors & Features

Detect and mitigate CVE-2025-54873 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →