CVE-2025-24371: CometBFT allows a malicious peer to make node stuck in blocksync
(updated )
Name: ASA-2025-001: Malicious peer can disrupt node’s ability to sync via blocksync Component: CometBFT Criticality: Medium (Considerable Impact; Possible Likelihood per ACMv1.2) Affected versions: <= v0.38.16, v1.0.0 Affected users: Validators, Full nodes
References
- github.com/advisories/GHSA-22qq-3xwm-r5x4
- github.com/cometbft/cometbft
- github.com/cometbft/cometbft/commit/0ee80cd609c7ae9fe856bdd1c6d38553fdae90ce
- github.com/cometbft/cometbft/commit/2cebfde06ae5073c0b296a9d2ca6ab4b95397ea5
- github.com/cometbft/cometbft/releases/tag/v0.38.17
- github.com/cometbft/cometbft/releases/tag/v1.0.1
- github.com/cometbft/cometbft/security/advisories/GHSA-22qq-3xwm-r5x4
- nvd.nist.gov/vuln/detail/CVE-2025-24371
- pkg.go.dev/vuln/GO-2025-3442
Code Behaviors & Features
Detect and mitigate CVE-2025-24371 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →