x/vulndb: potential Go vuln in github.com/cometbft/cometbft: GHSA-r3r4-g7hq-pq4f

[GoVulnBot]

Advisory GHSA-r3r4-g7hq-pq4f references a vulnerability in the following Go modules:

Module
github.com/cometbft/cometbft

Description:
Name: ASA-2025-002: Malicious peer can stall network by disseminating seemingly valid block parts
Component: CometBFT
Criticality: High (Catastrophic Impact; Possible Likelihood per ACMv1.2)
Affected versions: <= v0.38.16, v1.0.0
Affected users: Validators, Full nodes, Users

Description

A bug was identified in the CometBFT validation of block part indices and the corresponding proof part indices that can lead to incorrect processing and dissemination of invalid parts, which in turn could lead to a ne...

References:

• ADVISORY: GHSA-r3r4-g7hq-pq4f
• ADVISORY: GHSA-r3r4-g7hq-pq4f
• FIX: cometbft/cometbft@f943aab

Cross references:

• github.com/cometbft/cometbft appears in 8 other report(s):
  • data/excluded/GO-2023-2092.yaml (x/vulndb: potential Go vuln in github.com/cometbft/cometbft: GHSA-hq58-p9mv-338c #2092) NOT_A_VULNERABILITY
  • data/excluded/GO-2024-2585.yaml (x/vulndb: potential Go vuln in github.com/cometbft/cometbft: GHSA-555p-m4v6-cqxv #2585) NOT_A_VULNERABILITY
  • data/reports/GO-2023-1882.yaml (x/vulndb: potential Go vuln in github.com/cometbft/cometbft: CVE-2023-34450 #1882)
  • data/reports/GO-2023-1883.yaml (x/vulndb: potential Go vuln in github.com/cometbft/cometbft: CVE-2023-34451 #1883)
  • data/reports/GO-2024-2471.yaml (x/vulndb: potential Go vuln in github.com/cometbft/cometbft: GHSA-qr8r-m495-7hc4 #2471)
  • data/reports/GO-2024-2951.yaml (x/vulndb: potential Go vuln in github.com/cometbft/cometbft: GHSA-hg58-rf2h-6rr7 #2951)
  • data/reports/GO-2024-3112.yaml (x/vulndb: potential Go vuln in github.com/cometbft/cometbft/light: GHSA-g5xx-c4hv-9ccc #3112)
  • data/reports/GO-2024-3259.yaml (x/vulndb: potential Go vuln in github.com/cometbft/cometbft: GHSA-p7mv-53f2-4cwj #3259)

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/cometbft/cometbft
      versions:
        - fixed: 0.38.17
        - introduced: 1.0.0-alpha.1
        - fixed: 1.0.1
      vulnerable_at: 1.0.0
summary: |-
    CometBFT allows a malicious peer to stall the network by disseminating seemingly
    valid block parts in github.com/cometbft/cometbft
ghsas:
    - GHSA-r3r4-g7hq-pq4f
references:
    - advisory: https://github.com/advisories/GHSA-r3r4-g7hq-pq4f
    - advisory: https://github.com/cometbft/cometbft/security/advisories/GHSA-r3r4-g7hq-pq4f
    - fix: https://github.com/cometbft/cometbft/commit/f943aabc7b9201ea1089ff3381479929435ce424
source:
    id: GHSA-r3r4-g7hq-pq4f
    created: 2025-02-03T17:01:20.460972012Z
review_status: UNREVIEWED

[gopherbot]

Change https://go.dev/cl/646596 mentions this issue: data/reports: add 2 needs review reports

[gopherbot]

Change https://go.dev/cl/657615 mentions this issue: data/reports: modify 2 needs review reports

[gopherbot]

Change https://go.dev/cl/661095 mentions this issue: data/reports: modify 1 report

[gopherbot]

Change https://go.dev/cl/661895 mentions this issue: data/reports: review GO-2025-3443