Impact
Plonky3, a toolkit for polynomial IOPs, contains a flaw in its MultiField32Challenger that allows an adversary who can influence the prover’s observations to craft two distinct transcripts that generate the same Fiat‑Shamir challenge. This undermines the binding property of the protocol and, if exploited, could let an attacker forge or replay proofs, thereby compromising the integrity of any system that relies on these proofs for security. The weakness is associated with CWE‑1240 (Improper Independence of Random Variables) and CWE‑345 (Missing Integrity Checks).
Affected Systems
All users of Plonky3 versions older than 0.4.3 and 0.5.3 are vulnerable; the issue is fixed in these releases and later ones.
Risk and Exploitability
The CVSS score of 8.9 indicates a high severity. Because the EPSS score is not available, the likelihood of exploitation cannot be quantified, but the vulnerability is not listed in the CISA KEV catalog, suggesting no publicly known exploits at the time of reporting. The attack vector likely requires the attacker to control or tamper with prover inputs; the description infers that this is a significant but not trivial prerequisite.
OpenCVE Enrichment
Github GHSA