GHSA-G5XX-C4HV-9CCC

GHSA-G5XX-C4HV-9CCC is a low-severity security vulnerability in github.com/cometbft/cometbft/light (go), affecting versions >= 0.34.0, < 0.34.34. It is fixed in 0.34.34, 0.37.11, 0.38.12.

Does this CVE actually affect you?

Kodem shows which CVEs are reachable and running in your applications, so you fix what's exploitable, not just what's listed.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Runtime intelligence, not another scanner.

Summary

CometBFT's state syncing validator from malicious node may lead to a chain split

Name: ASA-2024-009: State syncing validator from malicious node may lead to a chain split
Component: CometBFT
Criticality: Medium (ACMv1.2: I:Moderate; L: Possible)
Affected versions: >= 0.34.0, <= 0.34.33, >=0.37.0, <= 0.37.10, >= 0.38.0, <= 0.38.11

The state sync protocol retrieves a snapshot of the application and installs it in a fresh node. In order for this node to be ready to run consensus and block sync from the installed snapshot height, we also need to install a valid State in the node, which is the starting state from which it is able to validate new blocks and append them to the blockchain.

The State object used by state sync is computed using the light client protocol, which retrieves information about committed blocks from at least two RPC endpoints. The light client protocol performs several state validations and, in particular, compares the state provided by different RPC endpoints, looking for inconsistencies.

The State object contains, among other fields, a Validators field which stores the current validator set. A validator set is a list of validator addresses, public keys and associated voting powers, one per validator. It also stores, for historical reasons, the state of the proposer selection algorithm, in the form of the ProposerPriority field associated with each Validator.

While the light client is able to validate the ValidatorSet retrieved from RPC endpoints, this validation does not include the ProposerPriority field associated with each Validator. As a result, when state sync adopts RPC endpoints that, for unknown reasons, provide an invalid state of the proposer selection algorithm, the node will not be able to properly run the consensus protocol, as their local view of which validator is the proposer of a given round and height will disagree with the views of the correct validators. If an increasing number of validators state sync using RPC endpoints with invalid states, the network eventually halts.

Workarounds

The issue is observed when validators run state sync using RPC nodes that are malicious or report invalid states for the proposer selection algorithm.

It is worth noting that non-malicious nodes running upstream software should never report an invalid state for the proposer selection algorithm. This situation may result from the adoption of nodes with customized code or which had their state, stored in local databases, manually updated.

When the network public's RPC endpoints have an invalid state for the proposer election algorithm, there, new validators should refrain from using state sync for bootstrapping or be sure that they configure for state sync RPC endpoints with a valid state of the proposer election algorithm.

A validator with an invalid state for the proposer selection algorithm will reject most of the proposed blocks and will have the network rejecting blocks it has proposed. It is also possible to manually compare the state of the proposer election algorithm of nodes by comparing the outputs of the /validators?height=_ RPC endpoints. The outputs must fully match, including the ProposerPriority field associated with each validator.

References

This issue was reported to the Cosmos Bug Bounty Program on HackerOne on 12/08/24. If you believe you have found a bug in the Interchain Stack or would like to contribute to the program by reporting a bug, please see https://hackerone.com/cosmos.

If you have questions about Interchain security efforts, please reach out to our official communication channel at [email protected].

For more information about CometBFT, please see https://docs.cometbft.com/.

For more information about the Interchain Foundation’s engagement with Amulet, please see https://github.com/interchainio/security.

Impact

GHSA-G5XX-C4HV-9CCC has a CVSS score of 4.7 (Low). The vector is network-reachable, no privileges required, and user interaction required. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (0.34.34, 0.37.11, 0.38.12); upgrading removes the vulnerable code path.

Affected versions

github.com/cometbft/cometbft/light (>= 0.34.0, < 0.34.34) github.com/cometbft/cometbft/light (>= 0.37.0, < 0.37.11) github.com/cometbft/cometbft/light (>= 0.38.0, < 0.38.12) github.com/cometbft/cometbft (>= 0.37.0, < 0.37.11) github.com/cometbft/cometbft (>= 0.38.0, < 0.38.12)

Security releases

github.com/cometbft/cometbft/light → 0.34.34 (go) github.com/cometbft/cometbft/light → 0.37.11 (go) github.com/cometbft/cometbft/light → 0.38.12 (go) github.com/cometbft/cometbft → 0.37.11 (go) github.com/cometbft/cometbft → 0.38.12 (go)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

Already deployed Kodem?

See it in your environmentNew to Kodem? Get a demo →

Remediation advice

Release versions 0.34.34, 0.37.11, and 0.38.12 include a patch to address this issue.

In the patched versions, the light client protocol compares the ProposerPriority fields of the ValidatorSet instances retrieved from the RPC endpoints configured for state sync. If they differ, the computed State object is considered invalid and state sync will fail with an error.

Frequently Asked Questions

  1. What is GHSA-G5XX-C4HV-9CCC? GHSA-G5XX-C4HV-9CCC is a low-severity security vulnerability in github.com/cometbft/cometbft/light (go), affecting versions >= 0.34.0, < 0.34.34. It is fixed in 0.34.34, 0.37.11, 0.38.12.
  2. How severe is GHSA-G5XX-C4HV-9CCC? GHSA-G5XX-C4HV-9CCC has a CVSS score of 4.7 (Low). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which packages are affected by GHSA-G5XX-C4HV-9CCC?
    • github.com/cometbft/cometbft/light (go) (versions >= 0.34.0, < 0.34.34)
    • github.com/cometbft/cometbft (go) (versions >= 0.37.0, < 0.37.11)
  4. Is there a fix for GHSA-G5XX-C4HV-9CCC? Yes. GHSA-G5XX-C4HV-9CCC is fixed in 0.34.34, 0.37.11, 0.38.12. Upgrade to this version or later.
  5. Is GHSA-G5XX-C4HV-9CCC exploitable, and should I be worried? Whether GHSA-G5XX-C4HV-9CCC is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether GHSA-G5XX-C4HV-9CCC is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix GHSA-G5XX-C4HV-9CCC?
    • Upgrade github.com/cometbft/cometbft/light to 0.34.34 or later
    • Upgrade github.com/cometbft/cometbft/light to 0.37.11 or later
    • Upgrade github.com/cometbft/cometbft/light to 0.38.12 or later
    • Upgrade github.com/cometbft/cometbft to 0.37.11 or later
    • Upgrade github.com/cometbft/cometbft to 0.38.12 or later

Stop the waste.
Protect your environment with Kodem.