CVE-2025-24800: ismp-grandpa crate accepted incorrect signatures
A critical vulnerability was discovered in the ismp-grandpa crate, that allowed a malicious prover easily convince the verifier of the finality of arbitrary headers.
References
- github.com/advisories/GHSA-wwx5-gpgr-vxr7
- github.com/polytope-labs/hyperbridge
- github.com/polytope-labs/hyperbridge/pull/372/commits/f0e85db718f5165b06585a49b14a66f8ad643aea
- github.com/polytope-labs/hyperbridge/security/advisories/GHSA-wwx5-gpgr-vxr7
- github.com/polytope-labs/ismp-substrate/pull/64/commits/04d5be207b082eb61d586d52e1685e2e060347e6
- github.com/polytope-labs/ismp-substrate/pull/64/commits/5ca3351a19151f1a439c30d5cbdbfdc72a11f1a8
- github.com/polytope-labs/ismp-substrate/pull/64/commits/b26894913b301061b07db61af841ca2586415f08
- nvd.nist.gov/vuln/detail/CVE-2025-24800
Code Behaviors & Features
Detect and mitigate CVE-2025-24800 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →