GO-2023-1882

Source
https://pkg.go.dev/vuln/GO-2023-1882
Import Source
https://vuln.go.dev/ID/GO-2023-1882.json
JSON Data
https://api.osv.dev/v1/vulns/GO-2023-1882
Aliases
Published
2023-07-06T20:13:13Z
Modified
2024-05-20T16:03:47Z
Summary
Deadlock in github.com/cometbft/cometbft/consensus
Details

An internal modification to the way PeerState is serialized to JSON introduced a deadlock when the new function MarshalJSON is called.

This function can be called in two ways. The first is via logs, by setting the consensus logging module to "debug" level (which should not happen in production), and setting the log output format to JSON. The second is via RPC dumpconsensusstate.

Database specific
{
    "review_status": "REVIEWED",
    "url": "https://pkg.go.dev/vuln/GO-2023-1882"
}
References

Affected packages

Go / github.com/cometbft/cometbft

Package

Name
github.com/cometbft/cometbft
View open source insights on deps.dev
Purl
pkg:golang/github.com/cometbft/cometbft

Affected ranges

Type
SEMVER
Events
Introduced
0.37.1
Fixed
0.37.2

Ecosystem specific

{
    "imports": [
        {
            "path": "github.com/cometbft/cometbft/consensus",
            "symbols": [
                "PeerState.MarshalJSON"
            ]
        }
    ]
}