Your RSA-2048 keys break in 2030. Find every one of them before attackers do.
🦀 crates.io

GHSA-jqq4-c7wq-36h7

risc0 vulnerable to arbitrary code execution in guest via memory safety failure in `sys_read`

Also known asCVE-2025-61588
Published
Oct 1, 2025
Updated
Oct 2, 2025
Affected
5 pkgs
Patched
5 / 5
Exploits
None indexed

EPSS Exploitation Probability

via FIRST.org ↗
0.4%probability of exploitation in next 30 days
Lower Risk34th percentile+0.31%
0.00%0.31%0.61%0.92%0.1%0.4%Dec 25Apr 26Jun 26

EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.

Blast Radius

5 pkgs affected
🦀risc0-zkvm-platform🦀risc0-zkos-v1compat🦀risc0-aggregation🦀risc0-zkvm🦀risc0-zkvm

Real-time download stats are indexed for npm and PyPI packages. This vulnerability affects crates.io packages — download data is not available via public APIs for these ecosystems.

Description

Arbitrary code execution in guest via memory safety failure in sys_read

In affected versions of risc0-zkvm-platform, when the zkVM guest calls sys_read, the host is able to use a crafted response to write to an arbitrary memory location in the guest. This capability can be leveraged to execute arbitrary code within the guest. As sys_read is the mechanism by which input is requested by the guest, all guest programs built with the affected versions are vulnerable. This critically compromises the soundness guarantees of the guest program.

A fix was applied in #3351. The vulnerable pointer arithmetic was removed, and replaced with a simplified implementation in the v1compat kernel which uses Rust’s slice functions to guarantee memory safety.

The fix has been released as part of risc0-zkvm versions 2.3.2 and 3.0.3. All prior versions are affected.

Remediation

All developers of zkVM applications should update their guests to use risc0-zkvm versions ^2.3.2 or ^3.0.3.

This upgrade can be accomplished by editing all Cargo.toml files in the following way.

  • Any references to risc0-zkvm should use version specifiers ”2.3.2” or ”3.0.3”.
  • Any references to risc0-build should use version specifiers ”2.3.2” or ”3.0.3”, matching risc0-zkvm.
  • Any references to risc0-zkvm-platform should use version specifier ”2.1.0” or later. Most projects will not have direct references to this crate.

Rebuild your application including the guest. You can run the following command to check that the patch is applied:

# Provide the path to your guest Cargo.toml. Should report risc0-zkvm-platform >=v2.1.0
cargo tree --depth 0 -p risc0-zkvm-platform --manifest-path path/to/methods/guest/Cargo.toml

Any applications that use the image ID of this guest need to be updated with the newly built image ID.

Note that there are no changes to the RISC Zero proof system or circuits. Provers are not required to take any action. Users of the Groth16 smart contract verifier and the RISC Zero Verifier Router are not required to take any action beyond updating their guest programs.

Any applications using the risc0-aggregation crate or the RiscZeroSetVerifier smart contract should update to version >=0.9. This application includes a zkVM guest, which is vulnerable in versions prior to 0.9. Instances of the RiscZeroSetVerifier operated by RISC Zero have been disabled via the estop mechanism outlined in the Verifier Management Design.

Affected Packages

5 total 5 fixed
EcosystemPackageVulnerable rangeFix
🦀crates.iorisc0-zkvm-platformall versions2.1.0
🦀crates.iorisc0-zkos-v1compatall versions2.1.0
🦀crates.iorisc0-aggregationall versions0.9
🦀crates.iorisc0-zkvmall versions2.3.2
🦀crates.iorisc0-zkvm3.0.0&&< 3.0.33.0.3

Detection & mitigation playbook

Open-source dependency

  1. Detect

    Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for risc0-zkvm-platform. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.

  2. Fix

    Update risc0-zkvm-platform to 2.1.0 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-jqq4-c7wq-36h7 is resolved across your whole dependency graph.

  3. Workarounds

    If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.

  4. How O3 protects you

    O3 pinpoints whether GHSA-jqq4-c7wq-36h7 is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Tailored to GHSA-jqq4-c7wq-36h7. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.

Frequently Asked Questions

# Arbitrary code execution in guest via memory safety failure in `sys_read` In affected versions of `risc0-zkvm-platform`, when the zkVM guest calls `sys_read`, the host is able to use a crafted response to write to an arbitrary memory location in the guest. This capability can be leveraged to execute arbitrary code within the guest. As `sys_read` is the mechanism by which input is requested by the guest, all guest programs built with the affected versions are vulnerable. This critically compromises the soundness guarantees of the guest program. A fix was applied in [\#3351](https://github.c
O3 Security · Impact-Aware SCA

Is GHSA-jqq4-c7wq-36h7 in your dependencies?

O3 detects GHSA-jqq4-c7wq-36h7 across crates.io dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.

Scan my dependencies How O3 SCA works
GHSA-jqq4-c7wq-36h7: risc0-zkvm-platform Remote Code Execution | O3 Security