CVE-2025-54873: 
Rust vulnerability analysis and mitigation

CVE-2025-54873 is a moderate severity vulnerability affecting the RISC Zero cryptographic system, specifically impacting multiple cargo packages including risc0-circuit-rv32im, risc0-circuit-rv32im-sys, and risc0-zkvm. The vulnerability was discovered in 2025 and affects versions 2.0 through 3.0 of the affected packages (GitHub Advisory).

The vulnerability consists of two distinct issues in the division operation implementation: 1) For certain inputs to signed integer division, the circuit allowed two possible outputs, with only one being valid, and 2) The result of division by zero operations was underconstrained. The vulnerability was identified using the Picus tool from Veridise (GitHub Advisory).

The vulnerability affects the integrity of cryptographic operations in the RISC Zero system. Impacted on-chain verifiers had to be disabled via the estop mechanism outlined in the Verifier Management Design (GitHub Advisory).

Users are recommended to upgrade to patched versions: risc0-zkvm users should upgrade to version 2.2.0 or later, while risc0-circuit-rv32im and risc0-circuit-rv32im-sys users should upgrade to version 3.0.0. Smart contract applications using the official RISC Zero Verifier Router do not need to take action as zkVM version 2.2 is active on all official routers. However, smart contract applications not using the verifier router should update their contracts to send verification calls to the 2.2 version of the verifier (GitHub Advisory).