DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-3G92-F9CH-QJCM: GHSA-3G92-F9CH-QJCM: Cryptographic Hash Collision in Plonky3 p3-symmetric Sponge Construction

#security #cve #cybersecurity #ghsa

GHSA-3G92-F9CH-QJCM: Cryptographic Hash Collision in Plonky3 p3-symmetric Sponge Construction

Vulnerability ID: GHSA-3G92-F9CH-QJCM
CVSS Score: 4.0
Published: 2026-04-16

The p3-symmetric crate in the Plonky3 library implements sponge-based hash functions using cryptographic permutations. Prior to the patch, the library provided a PaddingFreeSponge implementation that utilized an overwrite-mode sponge construction without mandatory padding. This construction is not collision-resistant for variable-length inputs, allowing attackers to generate identical internal states for messages of different lengths.

TL;DR

Plonky3's p3-symmetric crate is vulnerable to cryptographic hash collisions when using PaddingFreeSponge with variable-length inputs due to missing domain separation and padding.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-327
  • Attack Vector: Context-Dependent
  • CVSS Score: 4.0
  • Impact: Cryptographic Hash Collision
  • Exploit Status: Theoretical/PoC
  • KEV Status: Not Listed

Affected Systems

  • Plonky3 p3-symmetric
  • p3-symmetric: < Commit 5c1dc1d6

Code Analysis

Commit: 5c1dc1d

Introduced Pad10Sponge to enforce domain separation and prevent hash collisions.

Mitigation Strategies

  • Upgrade Plonky3 dependencies to a version including the patch.
  • Replace variable-length uses of PaddingFreeSponge with Pad10Sponge.
  • Enforce strict input length validation if PaddingFreeSponge must be retained.

Remediation Steps:

  1. Identify all uses of p3-symmetric and the PaddingFreeSponge struct in the application codebase.
  2. Analyze the data structures being hashed to determine if their lengths are variable or fixed.
  3. For variable-length inputs, modify the code to initialize and use Pad10Sponge instead of the vulnerable sponge.
  4. Update library dependencies to pull the latest Plonky3 release containing commit 5c1dc1d64c0516a8911bbf3ea40f173c21d6ae47.
  5. Run cryptographic test suites to ensure hash commitments align with the new padding implementations.

References

Read the full report for GHSA-3G92-F9CH-QJCM on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)