Go modules package
github.com/consensys/gnark
pkg:golang/github.com/consensys/gnark
Vulnerabilities (6)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-58157 | — | >= 0.12.0, < 0.13.0 | 0.13.0 | Aug 29, 2025 | gnark is a zero-knowledge proof system framework. In version 0.12.0, there is a potential denial of service vulnerability when computing scalar multiplication is using the fake-GLV algorithm. This is because the algorithm didn't converge quickly enough for some of the inputs. Thi | ||
| CVE-2025-57801 | — | < 0.14.0 | 0.14.0 | Aug 22, 2025 | gnark is a zero-knowledge proof system framework. In versions prior to 0.14.0, the Verify function in eddsa.go and ecdsa.go used the S value from a signature without asserting that 0 ≤ S < order, leading to a signature malleability vulnerability. Because gnark’s native EdDSA and | ||
| CVE-2024-50354 | — | < 0.11.1 | 0.11.1 | Oct 31, 2024 | gnark is a fast zk-SNARK library that offers a high-level API to design circuits. In gnark 0.11.0 and earlier, deserialization of Groth16 verification keys allocate excessive memory, consuming a lot of resources and triggering a crash with the error fatal error: runtime: out of m | ||
| CVE-2024-45039 | — | < 0.11.0 | 0.11.0 | Sep 6, 2024 | gnark is a fast zk-SNARK library that offers a high-level API to design circuits. Versions prior to 0.11.0 have a soundness issue - in case of multiple commitments used inside the circuit the prover is able to choose all but the last commitment. As gnark uses the commitments for | ||
| CVE-2024-45040 | — | < 0.11.0 | 0.11.0 | Sep 6, 2024 | gnark is a fast zk-SNARK library that offers a high-level API to design circuits. Prior to version 0.11.0, commitments to private witnesses in Groth16 as implemented break the zero-knowledge property. The vulnerability affects only Groth16 proofs with commitments. Notably, PLONK | ||
| CVE-2023-44378 | — | < 0.9.0 | 0.9.0 | Oct 9, 2023 | gnark is a zk-SNARK library that offers a high-level API to design circuits. Prior to version 0.9.0, for some in-circuit values, it is possible to construct two valid decomposition to bits. In addition to the canonical decomposition of `a`, for small values there exists a second |
- CVE-2025-58157Aug 29, 2025affected >= 0.12.0, < 0.13.0fixed 0.13.0
gnark is a zero-knowledge proof system framework. In version 0.12.0, there is a potential denial of service vulnerability when computing scalar multiplication is using the fake-GLV algorithm. This is because the algorithm didn't converge quickly enough for some of the inputs. Thi
- CVE-2025-57801Aug 22, 2025affected < 0.14.0fixed 0.14.0
gnark is a zero-knowledge proof system framework. In versions prior to 0.14.0, the Verify function in eddsa.go and ecdsa.go used the S value from a signature without asserting that 0 ≤ S < order, leading to a signature malleability vulnerability. Because gnark’s native EdDSA and
- CVE-2024-50354Oct 31, 2024affected < 0.11.1fixed 0.11.1
gnark is a fast zk-SNARK library that offers a high-level API to design circuits. In gnark 0.11.0 and earlier, deserialization of Groth16 verification keys allocate excessive memory, consuming a lot of resources and triggering a crash with the error fatal error: runtime: out of m
- CVE-2024-45039Sep 6, 2024affected < 0.11.0fixed 0.11.0
gnark is a fast zk-SNARK library that offers a high-level API to design circuits. Versions prior to 0.11.0 have a soundness issue - in case of multiple commitments used inside the circuit the prover is able to choose all but the last commitment. As gnark uses the commitments for
- CVE-2024-45040Sep 6, 2024affected < 0.11.0fixed 0.11.0
gnark is a fast zk-SNARK library that offers a high-level API to design circuits. Prior to version 0.11.0, commitments to private witnesses in Groth16 as implemented break the zero-knowledge property. The vulnerability affects only Groth16 proofs with commitments. Notably, PLONK
- CVE-2023-44378Oct 9, 2023affected < 0.9.0fixed 0.9.0
gnark is a zk-SNARK library that offers a high-level API to design circuits. Prior to version 0.9.0, for some in-circuit values, it is possible to construct two valid decomposition to bits. In addition to the canonical decomposition of `a`, for small values there exists a second