Zero-knowledge proof (ZKP) circuits are prone to security vulnerabilities due to design and implementation flaws, yet existing verification approaches lack automated, scalable bug-detection mechanisms. Method: This paper presents the first systematic exploration of fuzz testing for ZKP circuit vulnerability discovery, addressing the core oracle problem via a ZKP-semantics-aware oracle design; it introduces constraint-aware input generation and structured mutation strategies, and tightly integrates the zk-regex library with coverage-guided fuzzing. Contribution/Results: Our framework discovers 10 previously unknown vulnerabilities in zk-regex, demonstrating both effectiveness and practicality. It constitutes the first reproducible, scalable fuzz-testing framework for ZKP circuit security validation—enabling automated, semantics-informed, and coverage-driven vulnerability detection across diverse ZKP circuit implementations.

Zero-knowledge proofs (ZKPs) have evolved from a theoretical cryptographic concept into a powerful tool for implementing privacy-preserving and verifiable applications without requiring trust assumptions. Despite significant progress in the field, implementing and using ZKPs via emph{ZKP circuits} remains challenging, leading to numerous bugs that affect ZKP circuits in practice, and emph{fuzzing} remains largely unexplored as a method to detect bugs in ZKP circuits. We discuss the unique challenges of applying fuzzing to ZKP circuits, examine the oracle problem and its potential solutions, and propose techniques for input generation and test harness construction. We demonstrate that fuzzing can be effective in this domain by implementing a fuzzer for exttt{zk-regex}, a cornerstone library in modern ZKP applications. In our case study, we discovered extit{$10$} new bugs.