GHSA-3g92-f9ch-qjcm: Plonky3: The sponge construction used to get a hash function from a cryptographic permutation is not collision resistant for inputs of different lengths

The impact of this vulnerability is a little difficult to estimate. It is important to note that, in circumstances where the number of elements to be hashed is known and fixed in advance, (as is the case for most STARKS), the method is collision resistant. This vulnerability only applies if a malicious user is able to manipulate the number of elements to be hashed.

That being said, there are theoretically situations where this could allow for an amortising of grinding costs (if a prover can manipulate things to get the same hasher state across multiple proofs).