CVE-2025-54426
BaseFortify
Publication date: 2025-07-28
Last updated on: 2025-07-29
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| polkadot | frontier | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-327 | The product uses a broken or risky cryptographic algorithm or protocol. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Polkadot Frontier involves the Curve25519Add and Curve25519ScalarMul precompiles incorrectly handling invalid Ristretto point representations. Instead of returning an error when given invalid input bytes, these functions silently treat the invalid input as the Ristretto identity element. This can lead to incorrect cryptographic results. The issue was fixed in a specific commit (36f70d1).
How can this vulnerability impact me? :
The vulnerability can lead to potentially incorrect cryptographic results due to invalid inputs being treated as valid identity elements. This can undermine the security guarantees of cryptographic operations relying on these precompiles, possibly allowing attackers to exploit cryptographic weaknesses or cause unexpected behavior in applications using Polkadot Frontier.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, update Polkadot Frontier to include the fix from commit 36f70d1 or a later version where the Curve25519Add and Curve25519ScalarMul precompiles correctly handle invalid Ristretto point representations by returning an error instead of treating invalid inputs as the Ristretto identity element.