CVE-2025-54429

Description

Polkadot Frontier is an Ethereum and EVM compatibility layer for Polkadot and Substrate. There are various account address types in Frontier, e.g. precompiled contracts, smart contracts, and externally owned accounts. Some EVM mechanisms should be unreachable by certain types of accounts for safety. For precompiles to be callable by smart contracts they must be explicitly configured as CallableByContract. If this configuration is absent, then the precompile should be unreachable via smart contract accounts. In commits prior to 0822030, the underlying implementation of CallableByContract which returned the AddressType was incorrect. It considered the contract address running under CREATE or CREATE2 to be AddressType::EOA rather than correctly as AddressType::Contract. The issue only affects users who use custom precompile implementations that utilize AddressType::EOA and AddressType::Contract. It's not directly exploitable in any of the predefined precompiles in Frontier. This is fixed in version 0822030.

Weakness Type (CWE)

CWE-704 CWE-704

References

Other References

https://dotpal.io/assets/files/frontier-srlabs-2505-718c3bfa5df9fed1862fed05de506859.pdf https://github.com/polkadot-evm/frontier/pull/1655 https://github.com/polkadot-evm/frontier/security/advisories/GHSA-fr62-ppwc-mc2h

Frequently Asked Questions

What is CVE-2025-54429? +

Polkadot Frontier is an Ethereum and EVM compatibility layer for Polkadot and Substrate. There are various account address types in Frontier, e.g. precompiled contracts, smart contracts, and externally owned accounts. Some EVM mechanisms should be unreachable by certain types of accounts for safety. For precompiles to be callable by smart contracts they must be explicitly configured as CallableByContract. If this configuration is absent, then the precompile should be unreachable via smart contract accounts. In commits prior to 0822030, the underlying implementation of CallableByContract which returned the AddressType was incorrect. It considered the contract address running under CREATE or CREATE2 to be AddressType::EOA rather than correctly as AddressType::Contract. The issue only affects users who use custom precompile implementations that utilize AddressType::EOA and AddressType::Contract. It's not directly exploitable in any of the predefined precompiles in Frontier. This is fixed in version 0822030.

How do I check if I'm vulnerable to CVE-2025-54429? +

You can use Secably's free Website Scanner to check your website for known vulnerabilities. For infrastructure scanning, use the Port Scanner to identify exposed services that may be affected. Check the vendor advisories linked above for specific patch and version information.

Related Vulnerabilities

CVE-2010-20115

Arcane Software’s Vermillion FTP Daemon (vftpd) versions up to and including 1.31 contains a memory corruption vulnerability triggered by a …

CVE-2025-41646 9.8

An unauthorized remote attacker can bypass the authentication of the affected software package by misusing an incorrect type conversion. This …

CVE-2024-5436 9.8

Type confusion in Snapchat LensCore could lead to denial of service or arbitrary code execution prior to version 12.88. We …

CVE-2025-41648 9.8

An unauthenticated remote attacker can bypass the login to the web application of the affected devices making it possible to …

CVE-2025-62494 8.8

A type confusion vulnerability exists in the handling of the string addition (+) operation within the QuickJS engine. * The …

CVE-2025-13720 8.8

Bad cast in Loader in Google Chrome prior to 143.0.7499.41 allowed a remote attacker who had compromised the renderer process …