CVE-2025-54873

Name of the Vulnerable Software and Affected Versions risc0-zkvm versions 2.0.0 through 2.1.0 risc0-circuit-rv32im versions 2.0.0 through 2.0.4 risc0-circuit-rv32im-sys versions 2.0.0 through 2.0.4

Description RISC Zero is a zero-knowledge verifiable general computing platform based on zk-STARKs and the RISC-V microarchitecture. The risc0-zkvm, risc0-circuit-rv32im, and risc0-circuit-rv32im-sys packages contain an issue where signed integer division allows multiple outputs for certain inputs, with only one being valid. Division by zero results are also underconstrained.

Recommendations Update to risc0-zkvm version 2.2.0 or later. Update to risc0-circuit-rv32im version 3.0.0 or later. Update to risc0-circuit-rv32im-sys version 3.0.0 or later.