GHSA-6jrf-4jv4-r9mw

Suggest an improvement
Source
https://github.com/advisories/GHSA-6jrf-4jv4-r9mw
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-6jrf-4jv4-r9mw/GHSA-6jrf-4jv4-r9mw.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-6jrf-4jv4-r9mw
Published
2025-04-09T13:01:26Z
Modified
2025-04-09T13:01:26Z
Severity
  • 8.2 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
tendermint-rs's Light Client Verifier allows malicious validators to spoof votes from other validators
Details

Name: ISA-2025-003: Malicious validator can spoof votes from other validators Component: tendermint-rs Criticality: High (Catastrophic Impact; Rare Likelihood per ACMv1.2) Affected versions: <= v0.40.2 Affected users: Everyone

Description

tendermint-rs contains a critical vulnerability in its light client implementation due to insecure handling of corrupted validator sets. Because it doesn't check that the validator address is correctly derived from the validator's public key when counting votes, it is possible to spoof votes from other validators. The result is being able to construct the malicious block and cheat the light client. The light client will accept such a block, seemingly signed by 2/3+ majority.

Patches

The new tendermint-rs release v0.40.3 fixes this issue.

Unreleased code in the main branch is patched as well.

Workarounds

There are no known workarounds for this issue.

Timeline

  • March 12, 2025, 13:41pm PST: Issue reported
  • March 12, 2025, 03:00am PST: Core team completes validation of issue

This issue was reported by Felix Wilhelm from Asymmetric Research.

Database specific 
{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-863"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2025-04-09T13:01:26Z"
}
References

Affected packages

crates.io / tendermint-light-client-verifier

Package

Name
tendermint-light-client-verifier
View open source insights on deps.dev
Purl
pkg:cargo/tendermint-light-client-verifier

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.40.3