GHSA-5xgj-pmjj-gw49 – risc0-zkvm

Package

Manager: cargo
Name: risc0-zkvm
Vulnerable Version: >=0 <=1.0.2

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

RISC Zero zkVM notes on zero-knowledge RISC Zero zkVM was designed from its inception to provide three main guarantees: 1. *Computational integrity*: that a given software program executed correctly. 2. *Succinctness*: that the proof of execution does not grow in relation to the program being executed. 3. *Zero Knowledge*: that details of the program execution are not visible within the proof of program execution. Ulrich Habock and Al Kindi have released [new research] that indicates that several STARK implementations -including our RISC Zero zkVM- do not meet the requirements to assert the specific property of zero knowledge provably. While a vast majority of real-world applications that leverage RISC Zero zkVM or similar systems depend primarily on computational integrity and succinctness, a subset of applications critically depend on the privacy guarantees provided by zero-knowledge; and for those use cases, users are cautioned to understand the research and make informed decisions based on the risks outlined in using an impacted system. Although the maintainers are not aware of any attacks that can take advantage of this potential weakness, they are working to proactively address this discovery as quickly as possible. [new research]: https://eprint.iacr.org/2024/1037

Metadata

Created: 2024-07-15T18:32:22Z
Modified: 2024-07-15T18:32:22Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/07/GHSA-5xgj-pmjj-gw49/GHSA-5xgj-pmjj-gw49.json
CWE IDs: []
Alternative ID: N/A
Finding: F096
Auto approve: 1