CVE-2025-24802

Name of the Vulnerable Software and Affected Versions Plonky2 versions prior to 1.0.1

Description The issue concerns lookup tables in Plonky2, a SNARK implementation based on techniques from PLONK and FRI. If a lookup table's length is not divisible by 26, which is calculated as floor(num routed wires / 3), it will always include the 0 -> 0 input-output pair. This allows a malicious prover to prove that f(0) = 0 for any lookup table f, unless its length happens to be divisible by 26. The problem arises because LookupTableGate-s are padded with zeros.

Recommendations For Plonky2 versions prior to 1.0.1, as a temporary workaround, consider extending the lookup table by repeating some entries so that its length becomes divisible by 26 to prevent malicious provers from manipulating proofs. For Plonky2 versions prior to 1.0.1, update to version 1.0.1 to fix the vulnerability.