一、 漏洞 CVE-2025-30147 基础信息
漏洞标题
ALTBN128_ADD、ALTBN128_MUL 和 ALTBN128_PAIRING 预编译函数没有检查点是否在曲线上
来源:AIGC 神龙大模型
漏洞描述信息
N/A
来源:AIGC 神龙大模型
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
来源:AIGC 神龙大模型
漏洞类别
使用不充分的随机数
来源:AIGC 神龙大模型
漏洞标题
ALTBN128_ADD, ALTBN128_MUL, ALTBN128_PAIRING precompile functions do not check if points are on curve
来源:美国国家漏洞数据库 NVD
漏洞描述信息
Besu Native contains scripts and tooling that is used to build and package the native libraries used by the Ethereum client Hyperledger Besu. Besu 24.7.1 through 25.2.2, corresponding to besu-native versions 0.9.0 through 1.2.1, have a potential consensus bug for the precompiles ALTBN128_ADD (0x06), ALTBN128_MUL (0x07), and ALTBN128_PAIRING (0x08). These precompiles were reimplemented in besu-native using gnark-crypto's bn254 implementation, as the former implementation used a library which was no longer maintained and not sufficiently performant. The new gnark implementation was initially added in version 0.9.0 of besu-native but was not utilized by Besu until version 0.9.2 in Besu 24.7.1. The issue is that there are EC points which may be crafted which are in the correct subgroup but are not on the curve and the besu-native gnark implementation was relying on subgroup checks to perform point-on-curve checks as well. The version of gnark-crypto used at the time did not do this check when performing subgroup checks. The result is that it was possible for Besu to give an incorrect result and fall out of consensus when executing one of these precompiles against a specially crafted input point. Additionally, homogenous Besu-only networks can potentially enshrine invalid state which would be incorrect and difficult to process with patched versions of besu which handle these calls correctly. The underlying defect has been patched in besu-native release 1.3.0. The fixed version of Besu is version 25.3.0. As a workaround for versions of Besu with the problem, the native precompile for altbn128 may be disabled in favor of the pure-java implementation. The pure java implementation is significantly slower, but does not have this consensus issue.
来源:美国国家漏洞数据库 NVD
CVSS信息
N/A
来源:美国国家漏洞数据库 NVD
漏洞类别
缺少必要的密码学步骤
来源:美国国家漏洞数据库 NVD
漏洞标题
Hyperledger Besu 安全漏洞
来源:中国国家信息安全漏洞库 CNNVD
漏洞描述信息
Hyperledger Besu是Hyperledger开源的一个应用程序。用于运行,维护,调试和监视以太坊网络中的节点。 Hyperledger Besu 24.7.1至25.2.2版本存在安全漏洞,该漏洞源于预编译实现问题,可能导致共识错误。
来源:中国国家信息安全漏洞库 CNNVD
CVSS信息
N/A
来源:中国国家信息安全漏洞库 CNNVD
漏洞类别
其他
来源:中国国家信息安全漏洞库 CNNVD
二、漏洞 CVE-2025-30147 的公开POC
# POC 描述 源链接 神龙链接
三、漏洞 CVE-2025-30147 的情报信息

  • 标题: ALTBN128_ADD, ALTBN128_MUL, ALTBN128_PAIRING precompile functions do not check if points are on curve · Advisory · hyperledger/besu-native · GitHub -- 🔗来源链接

    标签: x_refsource_CONFIRM

    ALTBN128_ADD, ALTBN128_MUL, ALTBN128_PAIRING precompile functions do not check if points are on curve · Advisory · hyperledger/besu-native · GitHub

  • 标题: besu/besu/src/main/java/org/hyperledger/besu/cli/options/NativeLibraryOptions.java at main · hyperledger/besu · GitHub -- 🔗来源链接

    标签: x_refsource_MISC

    besu/besu/src/main/java/org/hyperledger/besu/cli/options/NativeLibraryOptions.java at main · hyperledger/besu · GitHub
  • https://nvd.nist.gov/vuln/detail/CVE-2025-30147