CVE-2025-54426
CRITICALPolkadot Frontier <commit 36f70d1 - Info Disclosure
Title source: llmDescription
Polkadot Frontier is an Ethereum and EVM compatibility layer for Polkadot and Substrate. In versions prior to commit 36f70d1, the Curve25519Add and Curve25519ScalarMul precompiles incorrectly handle invalid Ristretto point representations. Instead of returning an error, they silently treat invalid input bytes as the Ristretto identity element, leading to potentially incorrect cryptographic results. This is fixed in commit 36f70d1.
References (4)
Core 4
Core References
Vendor Advisory x_refsource_confirm
https://github.com/polkadot-evm/frontier/security/advisories/GHSA-v4q3-23rh-w5mw
Patch x_refsource_misc
https://github.com/polkadot-evm/frontier/pull/1720/commits/8ed6053fb868495477ba2409f7e64f439df76f96
Patch x_refsource_misc
https://github.com/polkadot-evm/frontier/commit/36f70d1defcaeaed5a453015f6c98c21bb5b121b
Various Sources x_refsource_misc
https://dotpal.io/assets/files/frontier-srlabs-2505-718c3bfa5df9fed1862fed05de506859.pdf
Scores
CVSS v4
9.9
EPSS
0.0030
EPSS Percentile
21.0%
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:H/SA:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-327
Status
published
Products (1)
polkadot-evm/frontier
< 36f70d1
Published
Jul 28, 2025
Tracked Since
Feb 18, 2026