Strix
26.1K

CVE-2025-48886

MEDIUMCVSS 4.8/10EPSS 0.25%

Last modified

CVE-2025-48886 is a medium-severity vulnerability rated 4.8/10 on the CVSS scale. Hydra is a layer-two scalability solution for Cardano. Prior to version 0.22.0, the process assumes L1 event finality and does not consider failed transactions. EPSS estimates a 0.25% chance of exploitation in the next 30 days.

Description

Hydra is a layer-two scalability solution for Cardano. Prior to version 0.22.0, the process assumes L1 event finality and does not consider failed transactions. Currently, Cardano L1 is monitored for certain events which are necessary for state progression. At the moment, Hydra considers those events as finalized as soon as they are recognized by the node participants making such transactions the target of re-org attacks. The system does not currently consider the fact that failed transactions on the Cardano L1 can indeed appear in blocks because these transactions are so infrequent. This issue has been patched in version 0.22.0.

Metrics

CVSS 3.1
4.8/10

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N

EPSS Probability
0.25%

15.7th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

References

Timeline

Published
Last Modified
Status
Deferred

Frequently Asked Questions

What is CVE-2025-48886?
Hydra is a layer-two scalability solution for Cardano. Prior to version 0.22.0, the process assumes L1 event finality and does not consider failed transactions. Currently, Cardano L1 is monitored for certain events which are necessary for state progression. At the moment, Hydra considers those events as finalized as soon as they are recognized by the node participants making such transactions the target of re-org attacks. The system does not currently consider the fact that failed transactions on the Cardano L1 can indeed appear in blocks because these transactions are so infrequent. This issue has been patched in version 0.22.0.
How severe is CVE-2025-48886?
CVE-2025-48886 has a CVSS score of 4.8/10 (MEDIUM severity). The EPSS model estimates a 0.25% probability of exploitation in the next 30 days.
How do I fix CVE-2025-48886?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2025-48886?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST