GHSA-22qq-3xwm-r5x4

Source

https://github.com/advisories/GHSA-22qq-3xwm-r5x4

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/02/GHSA-22qq-3xwm-r5x4/GHSA-22qq-3xwm-r5x4.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-22qq-3xwm-r5x4

Aliases

CVE-2025-24371
GO-2025-3442

Published

2025-02-03T15:55:28Z

Modified

2025-02-05T16:32:32Z

Severity

6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N CVSS Calculator

Summary

CometBFT allows a malicious peer to make node stuck in blocksync

Details

Name: ASA-2025-001: Malicious peer can disrupt node's ability to sync via blocksync Component: CometBFT Criticality: Medium (Considerable Impact; Possible Likelihood per ACMv1.2) Affected versions: <= v0.38.16, v1.0.0 Affected users: Validators, Full nodes

Impact

A malicious peer may be able to interfere with a node's ability to sync blocks with peers via the blocksync mechanism.

In the blocksync protocol peers send their base and latest heights when they connect to a new node (A), which is syncing to the tip of a network. base acts as a lower ground and informs A that the peer only has blocks starting from height base. latest height informs A about the latest block in a network. Normally, nodes would only report increasing heights:

B: {base: 100, latest: 1000}
B: {base: 100, latest: 1001}
B: {base: 100, latest: 1002}
...

If B fails to provide the latest block, B is removed and the latest height (target height) is recalculated based on other nodes latest heights.

The existing code hovewer doesn't check for the case where B first reports latest height X and immediately after height Y, where X > Y. For example:

B: {base: 100, latest: 2000}
B: {base: 100, latest: 1001}
B: {base: 100, latest: 1002}
...

A will be trying to catch up to 2000 indefinitely. Even if B disconnects, the latest height (target height) won't be recalculated because A "doesn't know where 2000" came from per see.

Impact Qualification

This condition requires the introduction of malicious code in the full node first reporting a non-existing latest height, then reporting lower latest height and nodes which are syncing using blocksync protocol.

Patches

The new CometBFT releases v1.0.1 and v0.38.17 fix this issue.

Unreleased code in the main is patched as well.

Workarounds

When the operator notices blocksync is stuck, they can identify the peer from which that message with "invalid" height was received. This may require increasing the logging level of the blocksync module. This peer can then be subsequently banned at the p2p layer as a temporary mitigation.

References

If you have questions about Interchain security efforts, please reach out to our official communication channel at security@interchain.io. For more information about the Interchain Foundation’s engagement with Amulet, and to sign up for security notification emails, please see https://github.com/interchainio/security.

A Github Security Advisory for this issue is available in the CometBFT repository. For more information about CometBFT, see https://docs.cometbft.com/.

Database specific

{
    "nvd_published_at": "2025-02-03T22:15:28Z",
    "cwe_ids": [
        "CWE-703"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2025-02-03T15:55:28Z"
}

References

Affected packages

Go / github.com/cometbft/cometbft

Package

Name: github.com/cometbft/cometbft; View open source insights on deps.dev
Purl: pkg:golang/github.com/cometbft/cometbft

Affected ranges

Type: SEMVER
Events: Introduced

1.0.0-alpha.1

Fixed

1.0.1

Go / github.com/cometbft/cometbft

Package

Name: github.com/cometbft/cometbft; View open source insights on deps.dev
Purl: pkg:golang/github.com/cometbft/cometbft

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.38.17