GO-2023-1882

See a problem?
Please try reporting it to the source first.

Source

https://pkg.go.dev/vuln/GO-2023-1882

Import Source

https://vuln.go.dev/ID/GO-2023-1882.json

JSON Data

https://api.osv.dev/v1/vulns/GO-2023-1882

Aliases

Published

2023-07-06T20:13:13Z

Modified

2024-05-20T16:03:47Z

Summary

Deadlock in github.com/cometbft/cometbft/consensus

Details

An internal modification to the way PeerState is serialized to JSON introduced a deadlock when the new function MarshalJSON is called.

This function can be called in two ways. The first is via logs, by setting the consensus logging module to "debug" level (which should not happen in production), and setting the log output format to JSON. The second is via RPC dumpconsensusstate.

Database specific

{
    "review_status": "REVIEWED",
    "url": "https://pkg.go.dev/vuln/GO-2023-1882"
}

References

Affected packages

Go / github.com/cometbft/cometbft

Package

Name: github.com/cometbft/cometbft; View open source insights on deps.dev
Purl: pkg:golang/github.com/cometbft/cometbft

Affected ranges

Type: SEMVER
Events: Introduced

0.37.1

Fixed

0.37.2

Ecosystem specific

{
    "imports": [
        {
            "path": "github.com/cometbft/cometbft/consensus",
            "symbols": [
                "PeerState.MarshalJSON"
            ]
        }
    ]
}