GHSA-4jmp-x7mh-rgmr
Suggest an improvement- Source
- https://github.com/advisories/GHSA-4jmp-x7mh-rgmr
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/12/GHSA-4jmp-x7mh-rgmr/GHSA-4jmp-x7mh-rgmr.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-4jmp-x7mh-rgmr
- Published
- 2025-12-12T20:15:03Z
- Modified
- 2025-12-12T20:27:17.912137Z
- Severity
-
- 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- Finality Provider vulnerable to anti-slashing bypassing due to misconfiguration
- Details
-
Summary
The anti-slashing is not effective if the attacker can access EOTS manager endpoints.
Impact
If the EOTS manager endpoints are open to public without HMAC protection, the attacker can manually cause slashing of the finality provider through the RPC endpoints
- Database specific
{ "github_reviewed": true, "nvd_published_at": null, "github_reviewed_at": "2025-12-12T20:15:03Z", "severity": "HIGH", "cwe_ids": [ "CWE-285" ] }- References
Affected packages
Go / github.com/babylonlabs-io/finality-provider
Package
- Name
- github.com/babylonlabs-io/finality-provider
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/babylonlabs-io/finality-provider