x/vulndb: potential Go vuln in github.com/cometbft/cometbft: GHSA-hrhf-2vcr-ghch

[GoVulnBot]

Advisory GHSA-hrhf-2vcr-ghch references a vulnerability in the following Go modules:

Module
github.com/cometbft/cometbft

Description:
Name: ASA-2025-003: Invalid BitArray handling can lead to network halt
Criticality: High (Considerable Impact; Possible Likelihood per ACMv1.2)
Affected versions: <= v0.38.18, <= v0.37.15, and main development branches
Affected users: Validators, Full nodes, Users

Description

A bug was discovered in CometBFT's handling of BitArray's that have a mismatch between the BitArray's expected number of Elems for the specified number of Bits. Additional validation was added to prevent processing...

References:

• ADVISORY: GHSA-hrhf-2vcr-ghch
• ADVISORY: GHSA-hrhf-2vcr-ghch
• FIX: cometbft/cometbft@be5677c
• FIX: cometbft/cometbft@dcb1f26
• WEB: https://github.com/cometbft/cometbft/releases/tag/v0.37.16
• WEB: https://github.com/cometbft/cometbft/releases/tag/v0.38.19

Cross references:

• github.com/cometbft/cometbft appears in 11 other report(s):
  • data/excluded/GO-2023-2092.yaml (x/vulndb: potential Go vuln in github.com/cometbft/cometbft: GHSA-hq58-p9mv-338c #2092) NOT_A_VULNERABILITY
  • data/excluded/GO-2024-2585.yaml (x/vulndb: potential Go vuln in github.com/cometbft/cometbft: GHSA-555p-m4v6-cqxv #2585) NOT_A_VULNERABILITY
  • data/reports/GO-2023-1882.yaml (x/vulndb: potential Go vuln in github.com/cometbft/cometbft: CVE-2023-34450 #1882)
  • data/reports/GO-2023-1883.yaml (x/vulndb: potential Go vuln in github.com/cometbft/cometbft: CVE-2023-34451 #1883)
  • data/reports/GO-2024-2471.yaml (x/vulndb: potential Go vuln in github.com/cometbft/cometbft: GHSA-qr8r-m495-7hc4 #2471)
  • data/reports/GO-2024-2951.yaml (x/vulndb: potential Go vuln in github.com/cometbft/cometbft: GHSA-hg58-rf2h-6rr7 #2951)
  • data/reports/GO-2024-3112.yaml (x/vulndb: potential Go vuln in github.com/cometbft/cometbft/light: GHSA-g5xx-c4hv-9ccc #3112)
  • data/reports/GO-2024-3259.yaml (x/vulndb: potential Go vuln in github.com/cometbft/cometbft: GHSA-p7mv-53f2-4cwj #3259)
  • data/reports/GO-2025-3442.yaml (x/vulndb: potential Go vuln in github.com/cometbft/cometbft: GHSA-22qq-3xwm-r5x4 #3442)
  • data/reports/GO-2025-3442.yaml (x/vulndb: potential Go vuln in github.com/cometbft/cometbft: GHSA-22qq-3xwm-r5x4 #3442)
  • data/reports/GO-2025-3443.yaml (x/vulndb: potential Go vuln in github.com/cometbft/cometbft: GHSA-r3r4-g7hq-pq4f #3443)

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/cometbft/cometbft
      non_go_versions:
        - introduced: TODO (earliest fixed "0.38.19", vuln range ">= 0.38.0-alpha.1, <= 0.38.18")
        - introduced: TODO (earliest fixed "0.37.16", vuln range "<= 0.37.15")
      vulnerable_at: 1.0.1
summary: CometBFT's invalid BitArray handling can lead to network halt in github.com/cometbft/cometbft
ghsas:
    - GHSA-hrhf-2vcr-ghch
references:
    - advisory: https://github.com/advisories/GHSA-hrhf-2vcr-ghch
    - advisory: https://github.com/cometbft/cometbft/security/advisories/GHSA-hrhf-2vcr-ghch
    - fix: https://github.com/cometbft/cometbft/commit/be5677c3e58f998b7f67bb6186dd2c9b81a041a1
    - fix: https://github.com/cometbft/cometbft/commit/dcb1f265b59477be40804f7ccdc4fb30612d6a4f
    - web: https://github.com/cometbft/cometbft/releases/tag/v0.37.16
    - web: https://github.com/cometbft/cometbft/releases/tag/v0.38.19
notes:
    - fix: 'module merge error: could not merge versions of module github.com/cometbft/cometbft: invalid or non-canonical semver version (found TODO (earliest fixed "0.38.19", vuln range ">= 0.38.0-alpha.1, <= 0.38.18"))'
source:
    id: GHSA-hrhf-2vcr-ghch
    created: 2025-10-14T20:01:23.466487687Z
review_status: UNREVIEWED

[gopherbot]

Change https://go.dev/cl/721084 mentions this issue: data/reports: mark GO-2025-3442 as REVIEWED

[gopherbot]

Change https://go.dev/cl/721400 mentions this issue: data/reports: add 6 reports