GHSA-6jrf-4jv4-r9mw: tendermint-rs's Light Client Verifier allows malicious validators to spoof votes from other validators

April 9, 2025

Name: ISA-2025-003: Malicious validator can spoof votes from other validators Component: tendermint-rs Criticality: High (Catastrophic Impact; Rare Likelihood per ACMv1.2) Affected versions: <= v0.40.2 Affected users: Everyone

References

github.com/advisories/GHSA-6jrf-4jv4-r9mw
github.com/informalsystems/tendermint-rs
github.com/informalsystems/tendermint-rs/commit/1aabcfe6a3c0678db22097543f7f7a662f0db34b
github.com/informalsystems/tendermint-rs/security/advisories/GHSA-6jrf-4jv4-r9mw

Code Behaviors & Features

Detect and mitigate GHSA-6jrf-4jv4-r9mw with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →