VYPR

Go modules package

github.com/consensys/gnark

pkg:golang/github.com/consensys/gnark

Vulnerabilities (6)

  • CVE-2025-58157Aug 29, 2025
    affected >= 0.12.0, < 0.13.0fixed 0.13.0

    gnark is a zero-knowledge proof system framework. In version 0.12.0, there is a potential denial of service vulnerability when computing scalar multiplication is using the fake-GLV algorithm. This is because the algorithm didn't converge quickly enough for some of the inputs. Thi

  • CVE-2025-57801Aug 22, 2025
    affected < 0.14.0fixed 0.14.0

    gnark is a zero-knowledge proof system framework. In versions prior to 0.14.0, the Verify function in eddsa.go and ecdsa.go used the S value from a signature without asserting that 0 ≤ S < order, leading to a signature malleability vulnerability. Because gnark’s native EdDSA and

  • CVE-2024-50354Oct 31, 2024
    affected < 0.11.1fixed 0.11.1

    gnark is a fast zk-SNARK library that offers a high-level API to design circuits. In gnark 0.11.0 and earlier, deserialization of Groth16 verification keys allocate excessive memory, consuming a lot of resources and triggering a crash with the error fatal error: runtime: out of m

  • CVE-2024-45039Sep 6, 2024
    affected < 0.11.0fixed 0.11.0

    gnark is a fast zk-SNARK library that offers a high-level API to design circuits. Versions prior to 0.11.0 have a soundness issue - in case of multiple commitments used inside the circuit the prover is able to choose all but the last commitment. As gnark uses the commitments for

  • CVE-2024-45040Sep 6, 2024
    affected < 0.11.0fixed 0.11.0

    gnark is a fast zk-SNARK library that offers a high-level API to design circuits. Prior to version 0.11.0, commitments to private witnesses in Groth16 as implemented break the zero-knowledge property. The vulnerability affects only Groth16 proofs with commitments. Notably, PLONK

  • CVE-2023-44378Oct 9, 2023
    affected < 0.9.0fixed 0.9.0

    gnark is a zk-SNARK library that offers a high-level API to design circuits. Prior to version 0.9.0, for some in-circuit values, it is possible to construct two valid decomposition to bits. In addition to the canonical decomposition of `a`, for small values there exists a second