GHSA-JQQ4-C7WQ-36H7
Vulnerability from github – Published: 2025-10-01 21:04 – Updated: 2025-10-02 15:11Arbitrary code execution in guest via memory safety failure in sys_read
In affected versions of risc0-zkvm-platform, when the zkVM guest calls sys_read, the host is able to use a crafted response to write to an arbitrary memory location in the guest. This capability can be leveraged to execute arbitrary code within the guest. As sys_read is the mechanism by which input is requested by the guest, all guest programs built with the affected versions are vulnerable. This critically compromises the soundness guarantees of the guest program.
A fix was applied in #3351. The vulnerable pointer arithmetic was removed, and replaced with a simplified implementation in the v1compat kernel which uses Rust’s slice functions to guarantee memory safety.
The fix has been released as part of risc0-zkvm versions 2.3.2 and 3.0.3. All prior versions are affected.
Remediation
All developers of zkVM applications should update their guests to use risc0-zkvm versions ^2.3.2 or ^3.0.3.
This upgrade can be accomplished by editing all Cargo.toml files in the following way.
- Any references to
risc0-zkvmshould use version specifiers”2.3.2”or”3.0.3”. - Any references to
risc0-buildshould use version specifiers”2.3.2”or”3.0.3”, matchingrisc0-zkvm. - Any references to
risc0-zkvm-platformshould use version specifier”2.1.0”or later. Most projects will not have direct references to this crate.
Rebuild your application including the guest. You can run the following command to check that the patch is applied:
# Provide the path to your guest Cargo.toml. Should report risc0-zkvm-platform >=v2.1.0
cargo tree --depth 0 -p risc0-zkvm-platform --manifest-path path/to/methods/guest/Cargo.toml
Any applications that use the image ID of this guest need to be updated with the newly built image ID.
Note that there are no changes to the RISC Zero proof system or circuits. Provers are not required to take any action. Users of the Groth16 smart contract verifier and the RISC Zero Verifier Router are not required to take any action beyond updating their guest programs.
Any applications using the risc0-aggregation crate or the RiscZeroSetVerifier smart contract should update to version >=0.9. This application includes a zkVM guest, which is vulnerable in versions prior to 0.9. Instances of the RiscZeroSetVerifier operated by RISC Zero have been disabled via the estop mechanism outlined in the Verifier Management Design.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "risc0-zkvm-platform"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.1.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "crates.io",
"name": "risc0-zkos-v1compat"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.1.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "crates.io",
"name": "risc0-aggregation"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.9"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "crates.io",
"name": "risc0-zkvm"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.3.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "crates.io",
"name": "risc0-zkvm"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.0"
},
{
"fixed": "3.0.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-61588"
],
"database_specific": {
"cwe_ids": [
"CWE-94"
],
"github_reviewed": true,
"github_reviewed_at": "2025-10-01T21:04:59Z",
"nvd_published_at": "2025-10-02T00:15:49Z",
"severity": "CRITICAL"
},
"details": "# Arbitrary code execution in guest via memory safety failure in `sys_read`\n\nIn affected versions of `risc0-zkvm-platform`, when the zkVM guest calls `sys_read`, the host is able to use a crafted response to write to an arbitrary memory location in the guest. This capability can be leveraged to execute arbitrary code within the guest. As `sys_read` is the mechanism by which input is requested by the guest, all guest programs built with the affected versions are vulnerable. This critically compromises the soundness guarantees of the guest program.\n\nA fix was applied in [\\#3351](https://github.com/risc0/risc0/pull/3351). The vulnerable pointer arithmetic was removed, and replaced with a simplified implementation in the `v1compat` kernel which uses Rust\u2019s slice functions to guarantee memory safety.\n\nThe fix has been released as part of `risc0-zkvm` versions `2.3.2` and `3.0.3`. All prior versions are affected.\n\n## Remediation\n\nAll developers of zkVM applications should update their guests to use `risc0-zkvm` versions `^2.3.2` or `^3.0.3`.\n\nThis upgrade can be accomplished by editing all `Cargo.toml` files in the following way.\n\n* Any references to [`risc0-zkvm`](https://crates.io/crates/risc0-zkvm) should use version specifiers `\u201d2.3.2\u201d` or `\u201d3.0.3\u201d`. \n* Any references to [`risc0-build`](https://crates.io/crates/risc0-build) should use version specifiers `\u201d2.3.2\u201d` or `\u201d3.0.3\u201d`, matching `risc0-zkvm`. \n* Any references to [`risc0-zkvm-platform`](https://crates.io/crates/risc0-zkvm-platform) should use version specifier `\u201d2.1.0\u201d` or later. Most projects will not have direct references to this crate.\n\nRebuild your application including the guest. You can run the following command to check that the patch is applied:\n\n```shell\n# Provide the path to your guest Cargo.toml. Should report risc0-zkvm-platform \u003e=v2.1.0\ncargo tree --depth 0 -p risc0-zkvm-platform --manifest-path path/to/methods/guest/Cargo.toml\n```\n\nAny applications that use the image ID of this guest need to be updated with the newly built image ID.\n\nNote that there are no changes to the RISC Zero proof system or circuits. Provers are not required to take any action. Users of the Groth16 smart contract verifier and the [RISC Zero Verifier Router](https://dev.risczero.com/api/blockchain-integration/contracts/verifier#verifier-router) are not required to take any action beyond updating their guest programs.\n\nAny applications using the `risc0-aggregation` crate or the `RiscZeroSetVerifier` smart contract should update to version `\u003e=0.9`. This application includes a zkVM guest, which is vulnerable in versions prior to `0.9`. Instances of the `RiscZeroSetVerifier` operated by RISC Zero have been disabled via the estop mechanism outlined in the [Verifier Management Design](https://github.com/risc0/risc0-ethereum/blob/release-2.0/contracts/version-management-design.md#base-verifier-implementations).",
"id": "GHSA-jqq4-c7wq-36h7",
"modified": "2025-10-02T15:11:40Z",
"published": "2025-10-01T21:04:59Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/risc0/risc0/security/advisories/GHSA-jqq4-c7wq-36h7"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61588"
},
{
"type": "WEB",
"url": "https://github.com/risc0/risc0/pull/3351"
},
{
"type": "WEB",
"url": "https://github.com/risc0/risc0/commit/3f00e1fa0159599c1601e788021f2169d1f0a4dc"
},
{
"type": "PACKAGE",
"url": "https://github.com/risc0/risc0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
],
"summary": "risc0 vulnerable to arbitrary code execution in guest via memory safety failure in `sys_read`"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.