CVE-2025-59941: go-f3 Vulnerable to Cached Justification Verification Bypass

September 29, 2025 (updated September 30, 2025)

A vulnerability exists in go-f3’s justification verification caching mechanism where verification results are cached without properly considering the context of the message. An attacker can bypass justification verification by:

First submitting a valid message with a correct justification
Then reusing the same cached justification in contexts where it would normally be invalid

This occurs because the cached verification does not properly validate the relationship between the justification and the specific message context it’s being used with.

References

github.com/advisories/GHSA-7pq9-rf9p-wcrf
github.com/filecoin-project/go-f3
github.com/filecoin-project/go-f3/commit/76fff18cf07b21baccf537024bdb2fb41f75f6e2
github.com/filecoin-project/go-f3/security/advisories/GHSA-7pq9-rf9p-wcrf
nvd.nist.gov/vuln/detail/CVE-2025-59941

Code Behaviors & Features

Detect and mitigate CVE-2025-59941 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →