GHSA-wwx5-gpgr-vxr7

Suggest an improvement
Source
https://github.com/advisories/GHSA-wwx5-gpgr-vxr7
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/01/GHSA-wwx5-gpgr-vxr7/GHSA-wwx5-gpgr-vxr7.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-wwx5-gpgr-vxr7
Aliases
  • CVE-2025-24800
Published
2025-01-28T17:29:17Z
Modified
2025-01-28T20:15:50Z
Severity
  • 9.3 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
ismp-grandpa crate accepted incorrect signatures
Details

A critical vulnerability was discovered in the ismp-grandpa crate, that allowed a malicious prover easily convince the verifier of the finality of arbitrary headers.

Description

The vulnerability manifests as a verifer that only accepts incorrect signatures of Grandpa precommits and was introduced in this specific commit. Perhaps due to unfamiliarity with core substrate APIs. The if statement should have included a negation check, similar to the previous code, but this was omitted. Causing the verifier to only accept invalid signatures.

This vulnerability remained undetected even with integration tests, as the prover was also misconfigured to initialize the Grandpa verifier with the incorrect authority set_id. This causes verification of honest precommit signatures to fail as the message is now malformed, but the verifier indeed only accepts signatures or messages that fail the verification check.

But even more devastatingly, the verifier will also accept malicious GRANDPA signatures for any precommit message.

This vulnerability has been fixed in this commit and a patch release has been published.

Impact

This could be used to steal funds or compromise other kinds of cross-chain applications.

Patches

This vulnerability has been fixed in the latest version of ismp-granpda v15.0.1

Recommendations

Users who rely on the compromised versions must upgrade immediately, as all vulnerable versions of the crate has been yanked.

Database specific
{
    "nvd_published_at": "2025-01-28T16:15:45Z",
    "cwe_ids": [
        "CWE-347"
    ],
    "severity": "CRITICAL",
    "github_reviewed": true,
    "github_reviewed_at": "2025-01-28T17:29:17Z"
}
References

Affected packages

crates.io / ismp-grandpa

Package

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
15.0.1

crates.io / grandpa-verifier-primitives

Package

Name
grandpa-verifier-primitives
View open source insights on deps.dev
Purl
pkg:cargo/grandpa-verifier-primitives

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.1.2

crates.io / grandpa-verifier

Package

Name
grandpa-verifier
View open source insights on deps.dev
Purl
pkg:cargo/grandpa-verifier

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.1.2