Security

Report a vulnerability

SECURITY.md

Security Policy

Report a Vulnerability

Contact security@openvm.dev.

OpenVmHalo2Verifier accepts non-canonical app commitments
GHSA-w82q-w67c-67wv published Jun 26, 2026 by shuklaayush

Moderate
OpenVmHalo2Verifier self-call can bypass proof verification
GHSA-j29p-wr24-hp4f published Jun 26, 2026 by shuklaayush

Critical
MemoryMerkleAir allows below-leaf rows to alter memory roots
GHSA-396x-v8w4-9x82 published Jun 26, 2026 by shuklaayush

Critical
`openvm-pairing` pairing check missing proper subfield check on scaling factor
GHSA-76mq-v757-53gr published May 15, 2026 by jpw-axiom

Critical
SHA-256 and Keccak circuits under-constrained
GHSA-9jfx-4f4f-497j published May 15, 2026 by jpw-axiom

High
Native recursion verifier missing constraints in program and circuit
GHSA-j9m2-fxc5-fr82 published May 15, 2026 by jpw-axiom

Critical
System AIRs missing boolean or zero assertions
GHSA-fh29-29h9-qm9h published May 15, 2026 by jpw-axiom

Critical
Plonky3 missing final polynomial degree check and randomness in FRI verifier
GHSA-4w7p-8f9q-f4g2 published Jun 3, 2025 by jonathanpwang

High
Byte decomposition of pc in AUIPC chip can overflow
GHSA-jf2r-x3j4-23m7 published May 2, 2025 by jonathanpwang

High

Learn more about advisories related to openvm-org/openvm in the GitHub Advisory Database