CVE-2025-54426

CRITICAL

Polkadot Frontier <commit 36f70d1 - Info Disclosure

Title source: llm

Description

Polkadot Frontier is an Ethereum and EVM compatibility layer for Polkadot and Substrate. In versions prior to commit 36f70d1, the Curve25519Add and Curve25519ScalarMul precompiles incorrectly handle invalid Ristretto point representations. Instead of returning an error, they silently treat invalid input bytes as the Ristretto identity element, leading to potentially incorrect cryptographic results. This is fixed in commit 36f70d1.

References (4)

[Vendor Advisory] https://github.com/polkadot-evm/frontier/security/advisories/GHSA-v4q3-23rh-w5mw

[Patch] https://github.com/polkadot-evm/frontier/pull/1720/commits/8ed6053fb868495477ba2409f7e64f439df76f96

[Patch] https://github.com/polkadot-evm/frontier/commit/36f70d1defcaeaed5a453015f6c98c21bb5b121b

View Patch ZIP pw:eip

[Various Sources] https://dotpal.io/assets/files/frontier-srlabs-2505-718c3bfa5df9fed1862fed05de506859.pdf

Scores

CVSS v4 9.9

EPSS 0.0006

EPSS Percentile 18.9%

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:H/SA:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-327

Status published

Products (1)

polkadot-evm/frontier < 36f70d1

Published Jul 28, 2025

Tracked Since Feb 18, 2026