CVE-2025-58157: gnark affected by denial of service when computing scalar multiplication using fake-GLV algorithm
For optimizing the scalar multiplication algorithm in circuit for some curves, gnark uses fake-GLV algorithm in case the curve doesn’t support true-GLV. For this to work, we need to compute the scalar decomposition using the Half GCD method in gnark-crypto. However, for some of the inputs the algorithm didn’t converge quickly enough.
In case the prover accepts untrusted witness, it could lead to denial of service as the prover gets stuck in a very slowly converging loop.
Thanks to @feltroidprime for reporting the issue and proposing a fix.
References
- github.com/Consensys/gnark
- github.com/Consensys/gnark-crypto/commit/56600883e0e9f9b159e9c7000b94e76185ec3d0d
- github.com/Consensys/gnark/commit/68be6cede36e387ab760725beabd3c96cc94e6dc
- github.com/Consensys/gnark/issues/1483
- github.com/Consensys/gnark/security/advisories/GHSA-9fvj-xqr2-xwg8
- github.com/advisories/GHSA-9fvj-xqr2-xwg8
- nvd.nist.gov/vuln/detail/CVE-2025-58157
Code Behaviors & Features
Detect and mitigate CVE-2025-58157 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →