x/vulndb: potential Go vuln in github.com/cometbft/cometbft: GHSA-22qq-3xwm-r5x4

[GoVulnBot]

Advisory GHSA-22qq-3xwm-r5x4 references a vulnerability in the following Go modules:

Module
github.com/cometbft/cometbft

Description:
Name: ASA-2025-001: Malicious peer can disrupt node's ability to sync via blocksync
Component: CometBFT
Criticality: Medium (Considerable Impact; Possible Likelihood per ACMv1.2)
Affected versions: <= v0.38.16, v1.0.0
Affected users: Validators, Full nodes

Impact

A malicious peer may be able to interfere with a node's ability to sync blocks with peers via the blocksync mechanism.

In the blocksync protocol peers send their base and latest heights when they connect to a new node (A), which is...

References:

• ADVISORY: GHSA-22qq-3xwm-r5x4
• ADVISORY: GHSA-22qq-3xwm-r5x4
• FIX: cometbft/cometbft@0ee80cd
• FIX: cometbft/cometbft@2cebfde

Cross references:

• github.com/cometbft/cometbft appears in 8 other report(s):
  • data/excluded/GO-2023-2092.yaml (x/vulndb: potential Go vuln in github.com/cometbft/cometbft: GHSA-hq58-p9mv-338c #2092) NOT_A_VULNERABILITY
  • data/excluded/GO-2024-2585.yaml (x/vulndb: potential Go vuln in github.com/cometbft/cometbft: GHSA-555p-m4v6-cqxv #2585) NOT_A_VULNERABILITY
  • data/reports/GO-2023-1882.yaml (x/vulndb: potential Go vuln in github.com/cometbft/cometbft: CVE-2023-34450 #1882)
  • data/reports/GO-2023-1883.yaml (x/vulndb: potential Go vuln in github.com/cometbft/cometbft: CVE-2023-34451 #1883)
  • data/reports/GO-2024-2471.yaml (x/vulndb: potential Go vuln in github.com/cometbft/cometbft: GHSA-qr8r-m495-7hc4 #2471)
  • data/reports/GO-2024-2951.yaml (x/vulndb: potential Go vuln in github.com/cometbft/cometbft: GHSA-hg58-rf2h-6rr7 #2951)
  • data/reports/GO-2024-3112.yaml (x/vulndb: potential Go vuln in github.com/cometbft/cometbft/light: GHSA-g5xx-c4hv-9ccc #3112)
  • data/reports/GO-2024-3259.yaml (x/vulndb: potential Go vuln in github.com/cometbft/cometbft: GHSA-p7mv-53f2-4cwj #3259)

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/cometbft/cometbft
      versions:
        - fixed: 0.38.17
        - introduced: 1.0.0-alpha.1
        - fixed: 1.0.1
      vulnerable_at: 1.0.0
summary: CometBFT allows a malicious peer to make node stuck in blocksync in github.com/cometbft/cometbft
cves:
    - CVE-2025-24371
ghsas:
    - GHSA-22qq-3xwm-r5x4
references:
    - advisory: https://github.com/advisories/GHSA-22qq-3xwm-r5x4
    - advisory: https://github.com/cometbft/cometbft/security/advisories/GHSA-22qq-3xwm-r5x4
    - fix: https://github.com/cometbft/cometbft/commit/0ee80cd609c7ae9fe856bdd1c6d38553fdae90ce
    - fix: https://github.com/cometbft/cometbft/commit/2cebfde06ae5073c0b296a9d2ca6ab4b95397ea5
source:
    id: GHSA-22qq-3xwm-r5x4
    created: 2025-02-03T16:01:50.717142716Z
review_status: UNREVIEWED

[gopherbot]

Change https://go.dev/cl/646596 mentions this issue: data/reports: add 2 needs review reports

[gopherbot]

Change https://go.dev/cl/657615 mentions this issue: data/reports: modify 2 needs review reports

[ericlee42]

I got this because of 4c78870

Vulnerability #1: GO-2025-3443
    CometBFT allows a malicious peer to stall the network by disseminating
    seemingly valid block parts in github.com/cometbft/cometbft
  More info: https://pkg.go.dev/vuln/GO-2025-3443
  Module: github.com/cometbft/cometbft
    Found in: github.com/cometbft/cometbft@v0.38.17
    Fixed in: github.com/cometbft/cometbft@v1.0.1
    Example traces found:

This is not correct, 0.38.17 fixed the vulnerability

[ericlee42]

@thatnealpatel Hello, could you please take a look

[thatnealpatel]

Hi @ericlee42, thanks for bringing this to our attention; a change will land to correct this entry over #3443.