CVE-2025-24371

CVE-2025-24371 is a medium-severity security vulnerability in github.com/cometbft/cometbft (go), affecting versions >= 1.0.0-alpha.1, < 1.0.1. It is fixed in 1.0.1, 0.38.17.

Does this CVE actually affect you?

Kodem shows which CVEs are reachable and running in your applications, so you fix what's exploitable, not just what's listed.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Runtime intelligence, not another scanner.

Summary

CometBFT allows a malicious peer to make node stuck in blocksync

Name: ASA-2025-001: Malicious peer can disrupt node's ability to sync via blocksync
Component: CometBFT
[OUTDATED] Criticality: Medium (Considerable Impact; Possible Likelihood per ACMv1.2)
Update of Criticality on 2026-03-06: We've made a mistake and over-rated the criticality of this bug in our initial triage. We have calibrated our vulnerability rating internally and updated the criticality of this bug to be Informational (Negligible Impact, Possible Likelihood)
Affected versions: <= v0.38.16, v1.0.0
Affected users: Validators, Full nodes

Impact Qualification

This condition requires the introduction of malicious code in the full node first reporting a non-existing latest height, then reporting lower latest height and nodes which are syncing using blocksync protocol.

Workarounds

When the operator notices blocksync is stuck, they can identify the peer from which that message with "invalid" height was received. This may require increasing the logging level of the blocksync module. This peer can then be subsequently banned at the p2p layer as a temporary mitigation.

References

If you have questions about Interchain security efforts, please reach out to our official communication channel at [email protected]. For more information about the Interchain Foundation’s engagement with Amulet, and to sign up for security notification emails, please see https://github.com/interchainio/security.

A Github Security Advisory for this issue is available in the CometBFT repository. For more information about CometBFT, see https://docs.cometbft.com/.

EDIT:

Please notice that this has been updated to be informational severity. This can be avoided by ensuring that one is not connected to a malicious peer during blocksync.

Impact

A malicious peer may be able to interfere with a node's ability to sync blocks with peers via the blocksync mechanism.

In the blocksync protocol peers send their base and latest heights when they connect to a new node (A), which is syncing to the tip of a network. base acts as a lower ground and informs A that the peer only has blocks starting from height base. latest height informs A about the latest block in a network. Normally, nodes would only report increasing heights:

B: {base: 100, latest: 1000}
B: {base: 100, latest: 1001}
B: {base: 100, latest: 1002}
...

If B fails to provide the latest block, B is removed and the latest height (target height) is recalculated based on other nodes latest heights.

The existing code hovewer doesn't check for the case where B first reports latest height X and immediately after height Y, where X > Y. For example:

B: {base: 100, latest: 2000}
B: {base: 100, latest: 1001}
B: {base: 100, latest: 1002}
...

A will be trying to catch up to 2000 indefinitely. Even if B disconnects, the latest height (target height) won't be recalculated because A "doesn't know where 2000" came from per see.

Affected versions

github.com/cometbft/cometbft (>= 1.0.0-alpha.1, < 1.0.1) github.com/cometbft/cometbft (< 0.38.17)

Security releases

github.com/cometbft/cometbft → 1.0.1 (go) github.com/cometbft/cometbft → 0.38.17 (go)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

Already deployed Kodem?

See it in your environmentNew to Kodem? Get a demo →

Remediation advice

The new CometBFT releases v1.0.1 and v0.38.17 fix this issue.

Unreleased code in the main is patched as well.

Frequently Asked Questions

  1. What is CVE-2025-24371? CVE-2025-24371 is a medium-severity security vulnerability in github.com/cometbft/cometbft (go), affecting versions >= 1.0.0-alpha.1, < 1.0.1. It is fixed in 1.0.1, 0.38.17.
  2. Which versions of github.com/cometbft/cometbft are affected by CVE-2025-24371? github.com/cometbft/cometbft (go) versions >= 1.0.0-alpha.1, < 1.0.1 is affected.
  3. Is there a fix for CVE-2025-24371? Yes. CVE-2025-24371 is fixed in 1.0.1, 0.38.17. Upgrade to this version or later.
  4. Is CVE-2025-24371 exploitable, and should I be worried? Whether CVE-2025-24371 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  5. What actually determines whether CVE-2025-24371 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  6. How do I fix CVE-2025-24371?
    • Upgrade github.com/cometbft/cometbft to 1.0.1 or later
    • Upgrade github.com/cometbft/cometbft to 0.38.17 or later

Other vulnerabilities in github.com/cometbft/cometbft

Stop the waste.
Protect your environment with Kodem.