CVE-2025-24371: CometBFT allows a malicious peer to make node stuck in blocksync
(updated )
Name: ASA-2025-001: Malicious peer can disrupt node’s ability to sync via blocksync Component: CometBFT [OUTDATED] Criticality: Medium (Considerable Impact; Possible Likelihood per ACMv1.2) Update of Criticality on 2026-03-06: We’ve made a mistake and over-rated the criticality of this bug in our initial triage. We have calibrated our vulnerability rating internally and updated the criticality of this bug to be Informational (Negligible Impact, Possible Likelihood) Affected versions: <= v0.38.16, v1.0.0 Affected users: Validators, Full nodes
References
- github.com/advisories/GHSA-22qq-3xwm-r5x4
- github.com/cometbft/cometbft
- github.com/cometbft/cometbft/commit/0ee80cd609c7ae9fe856bdd1c6d38553fdae90ce
- github.com/cometbft/cometbft/commit/2cebfde06ae5073c0b296a9d2ca6ab4b95397ea5
- github.com/cometbft/cometbft/releases/tag/v0.38.17
- github.com/cometbft/cometbft/releases/tag/v1.0.1
- github.com/cometbft/cometbft/security/advisories/GHSA-22qq-3xwm-r5x4
- nvd.nist.gov/vuln/detail/CVE-2025-24371
- pkg.go.dev/vuln/GO-2025-3442
Code Behaviors & Features
Detect and mitigate CVE-2025-24371 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →