CVE-2025-66559

CVE-2025-66559 is a high-severity vulnerability with a CVSS 4.0 base score of 8.0. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-129.

Key facts

Description

Taiko Alethia is an Ethereum-equivalent, permissionless, based rollup designed to scale Ethereum without compromising its fundamental properties. In 2.3.1 and earlier, TaikoInbox._verifyBatches (packages/protocol/contracts/layer1/based/TaikoInbox.sol:627-678) advanced the local tid to whatever transition matched the current blockHash before knowing whether that batch would actually be verified. When the loop later broke (e.g., cooldown window not yet passed or transition invalidated), the function still wrote that newer tid into batches[lastVerifiedBatchId].verifiedTransitionId after decrementing batchId. Result: the last verified batch could end up pointing at a transition index from the next batch (often zeroed), corrupting the verified chain pointer.

Frequently asked questions

What is CVE-2025-66559?
Taiko Alethia is an Ethereum-equivalent, permissionless, based rollup designed to scale Ethereum without compromising its fundamental properties. In 2.3.1 and earlier, TaikoInbox._verifyBatches (packages/protocol/contracts/layer1/based/TaikoInbox.sol:627-678) advanced the local tid to whatever transition matched the current blockHash before knowing whether that batch would actually be verified. When the loop later broke (e.g., cooldown window not yet passed or transition invalidated), the function still wrote that newer tid into batches[lastVerifiedBatchId].verifiedTransitionId after decrementing batchId. Result: the last verified batch could end up pointing at a transition index from the next batch (often zeroed), corrupting the verified chain pointer.
How severe is CVE-2025-66559?
CVE-2025-66559 has a CVSS 4.0 base score of 8.0, rated high severity.
Is CVE-2025-66559 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (19th percentile), an estimate of the probability of exploitation in the next 30 days.
How do I fix CVE-2025-66559?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its high severity, prioritise patching exposed systems.
Does CVE-2025-66559 have an EU (EUVD) identifier?
Yes. CVE-2025-66559 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2025-201290.
When was CVE-2025-66559 published?
CVE-2025-66559 was published on 2025-12-04 and last updated on 2026-06-17.

References

Other CWE-129 (Improper Validation of Array Index) vulnerabilities

Browse all CWE-129 (Improper Validation of Array Index) vulnerabilities →