Summary
Description
The summary is that the proof of knowledge associated to a commitment is crucial to bind the commitment to the actual circuit variables that were supposed to be committed. However, the same σ is used for all proofs of knowledge for the commitments, which allows mixing between them, making it possible to fix the value of all but one commitment before choosing the circuit variable assignments.
In more detail:
To simplify notation, let us consider the case of two commitments, each to only a single variable. Let's say the basis elements for those commitments are K_0 and K_1. Then the proving key will contain K_0 and K_1, and also σ*K_0 and σ*K_1 for the proof of knowledge. The honest prover assigning a to the first circuit variable and b to the second will then produce commitmentsD_0 = a*K_0D_1 = b*K_1
Out of the two D's, a challenge r for the commitment folding will be generated. The folded commitment will then beD_folded = D_0 + r*D_1 = a*K_0 + r*b*K_1
The honest prover will supply a fitting proof of knowledgeP = a*(σ*K_0) + r*b*(σ*K_1)
Now the verifier will only use all of this in two ways:
- In the check of the Groth16 proof itself, where only the sum
D_0 + D_1is used. - In the proof of knowledge check, where it will be verified that P is indeed
σ*(D_0 + r*D_1), with r calculated fromD_0andD_1as before.
This has the following implications. In the following, a malicious prover's points will have an apostrophe appended, and we keep D_0 etc. for the legitimate values:
- A malicious prover is only forced to provide
D'_0andD'_1such that the sum is correct. So they can use arbitraryD'_0as long as they setD'_1 = D_0 + D_1 - D'_0. - After choosing
D'_0andD'_1, the prover can always calculate r. Evaluatingσ*(D'_0 + r*D'_1)is then possible as long as bothD'_0andD'_1are linear combinations of basis elements for which σ times that basis element is known. In particular, this works as long asD'_0andD'_1are linear combinations ofK_0andK_1.
The upshot is that a malicious prover can choose arbitrary a' and b', and then setD'_0 = a'*K_0 + b'*K_1D'_1 = (a - a')*K_0 + (b - b')*K_1
Then they calculate r for this, and setP = (a' + r*(a-a'))*(σ*K_0) + (b' + r*(b-b'))*(σ*K_1)
This will then be accepted as a valid proof. Yet the first commitment point can be chosen completely independently of a and b, so in particular the malicious prover can use a constant for this, so that they will know the in-circuit challenge that will be added to the public inputs before they have to choose the witness assignments. For most use cases of such challenges (for proving things with Fiat-Shamir, random linear combinations etc.) this causes a critical soundness problem.
The problem generalizes to more than two commitments and commitments to more than one circuit variable each; one can freely choose all but one commitment as arbitrary linear combinations of the basis elements for all commitments, and then must choose the one remaining commitment in such a way that the sum is correct.
The root cause of the issue is that the σ used for the proofs of knowledge is the same, allowing to mix between the basis elements, as one has σ times them available for all of them.
So the fix is to have a separate σ for each commitment. So in our example above, the proving key would have the basis elements K_0 and K_1, and for the proofs of knowledge now σ_0*K_0 and σ_1*K_1. Folding the commitments would not be possible in the same way now, so the verifier will have to do more pairings. The prover could still provide a folded proof of knowledge however. WithD_0 = a*K_0D_1 = b*K_1
the proof of knowledge would beP = a*(σ_0*K_0) + r*b*(σ_1*K_1)
For later, let us use notation for the unfolded proofs of knowledgeP_0 = a*(σ_0*K_0)P_1 = b*(σ_1*K_1)
so thatP = P_0 + r*P_1
The verifying key would need G and σ_0*G and σ_1*G. To check the two unfolded proofs of knowledge would be the checkse(P_0, G) = e(D_0, σ_0*G)e(P_1, G) = e(D_1, σ_1*G)
As r is a challenge derived from D_0 and D_1, we may instead checke(P_0, G) + r*e(P_1, G) = e(D_0, σ_0*G) + r*e(D_1, σ_1*G)
The left hand side ise(P_0, G) + r*e(P_1, G) = e(P_0 + r*P_1, G) = e(P, G)
So the prover can just provide P and then the verifier checkse(P, G) = e(D_0, σ_0*G) + r*e(D_1, σ_1*G)
Unfortunately, the right hand side can't be folded as before, as there isn't a side of the pairing that is kept constant between the pairings as before. So the verifier will need to have a pairing for each commitment on the right hand side.
Workarounds
The recommendation has been to use only a single commitment and then derive in-circuit commitments as needed using std/multicommit package.
References
See the correspondence above.
Impact
It is a soundness issue - in case of multiple commitments used inside the circuit the prover is able to choose all but the last commitment. As we use the commitments for optimized non-native multiplication, lookup checks etc. as random challenges, then it could impact the soundness of the whole circuit.
However, using multiple commitments has been discouraged due to the additional cost to the verifier and it has not been supported in the recursive in-circuit Groth16 verifier and Solidity verifier. So we expect the impact of the issue be very small - only for the users who have implemented the native Groth16 verifier or are using it with multiple commitments. We do not have information of such users.
CVE-2024-45039 has a CVSS score of 6.2 (Medium). The vector is requires local access, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (0.11.0); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
The issue has been patched in e7c66b000454f4d2a4ae48c005c34154d4cfc2a2
Frequently Asked Questions
- What is CVE-2024-45039? CVE-2024-45039 is a medium-severity security vulnerability in github.com/consensys/gnark (go), affecting versions <= 0.10.0. It is fixed in 0.11.0.
- How severe is CVE-2024-45039? CVE-2024-45039 has a CVSS score of 6.2 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of github.com/consensys/gnark are affected by CVE-2024-45039? github.com/consensys/gnark (go) versions <= 0.10.0 is affected.
- Is there a fix for CVE-2024-45039? Yes. CVE-2024-45039 is fixed in 0.11.0. Upgrade to this version or later.
- Is CVE-2024-45039 exploitable, and should I be worried? Whether CVE-2024-45039 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2024-45039 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2024-45039? Upgrade
github.com/consensys/gnarkto 0.11.0 or later.