CVE-2025-52484

Name of the Vulnerable Software and Affected Versions: risc0-zkvm versions 2.0.0 through 2.0.2

Description: The issue is due to a missing constraint in the rv32im circuit, allowing a malicious prover to attack any 3-register RISC-V instruction, including remu and divu, by confusing the RISC-V virtual machine into treating the value of the rs1 register as the same as the rs2 register. This vulnerability was reported via a bug bounty. The fix for the circuit and the update to risc0 have been implemented. Impacted on-chain verifiers have already been disabled.

Recommendations: For risc0-zkvm versions 2.0.0, 2.0.1, and 2.0.2, upgrade to version 2.1.0. For smart contract applications not using the official RISC Zero Verifier Router, update contracts to send verification calls to the 2.1 version of the verifier. No action is required for smart contract applications using the official RISC Zero Verifier Router, as zkVM version 2.1 is active on all official routers and version 2.0 has been disabled.