GHSA-P7MV-53F2-4CWJ

GHSA-P7MV-53F2-4CWJ is a high-severity security vulnerability in github.com/cometbft/cometbft (go), affecting versions >= 0.38.0, < 0.38.15. It is fixed in 0.38.15.

Does this CVE actually affect you?

Kodem shows which CVEs are reachable and running in your applications, so you fix what's exploitable, not just what's listed.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Runtime intelligence, not another scanner.

Summary

CometBFT Vote Extensions: Panic when receiving a Pre-commit with an invalid data

Name: ASA-2024-011: Vote Extensions: Panic when receiving a Pre-commit with an invalid data
Component: CometBFT
Criticality: High (Considerable Impact, and Possible Likelihood per ACMv1.2)
Affected versions: >= 0.38.x, unreleased v1.x and main development branches
Affected users: Chain Builders + Maintainers, Validators

Impact Qualification

This condition requires the introduction of malicious code in the full node sending this Vote message to its peers. Namely, nodes running upstream code cannot produce invalid Vote messages, with non-existing ValidatorIndex. Moreover, networks utilizing default behavior, where vote extensions are not enabled, are not affected by this issue.

Workarounds

When the consensus code panics after receiving an invalid Vote message, the operator can identify the peer from which that message was received. This may require increasing the logging level of the consensus module. This peer can then be subsequently banned at the p2p layer as a temporary mitigation.

References

Timeline

  • October 21, 2024, 3:26pm PST: Issue reported to the Cosmos Bug Bounty program
  • October 21, 2024, 3:41pm PST: Issue triaged by Amulet on-call, and distributed to Core team
  • October 29, 2024, 11:35pm PST: Core team completes validation of issue
  • October 30, 2024, 3:33am PST: Core team completes patch for issue
  • October 30, 2024, 5:09am PST: Amulet creates coordination plan; schedule for distribution
  • November 4, 2024, 8:00pm GMT: Pre-notification delivered
  • November 6, 2024, 8:00am GMT: Patch made available

This issue was reported by corverroos to the Cosmos Bug Bounty Program on HackerOne on October 21, 2024. If you believe you have found a bug in the Interchain Stack or would like to contribute to the program by reporting a bug, please see https://hackerone.com/cosmos.

If you have questions about Interchain security efforts, please reach out to our official communication channel at [email protected]. For more information about the Interchain Foundation’s engagement with Amulet, and to sign up for security notification emails, please see https://github.com/interchainio/security.

A Github Security Advisory for this issue is available in the CometBFT repository. For more information about CometBFT, see https://docs.cometbft.com/.

Impact

A CometBFT node running in a network with [vote extensions][abci-spec] enabled could produce an invalid Vote message and send it to its peers. The invalid field of the Vote message is the ValidatorIndex, which identifies the sender in the ValidatorSet running that height of consensus. This field is ordinarily verified in the processing of Vote messages, but it turns out that in the case of a Vote message of type Precommit and for a non-nil BlockID, a logic was introduced before this ordinary verification to handle the attached vote extension. This introduced logic (not present in releases prior to 0.38.x) does not double-check the validity of the ValidatorIndex field. The result is a panic in the execution of the node receiving and processing such message.

Affected versions

github.com/cometbft/cometbft (>= 0.38.0, < 0.38.15)

Security releases

github.com/cometbft/cometbft → 0.38.15 (go)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

Already deployed Kodem?

See it in your environmentNew to Kodem? Get a demo →

Remediation advice

The new CometBFT release [v0.38.15][v0.38.15] fixes this issue.

Unreleased code in the main and v1.x branches, and experimental code in the v0.38-experimental and v1.x-experimental branches are patched as well.

Frequently Asked Questions

  1. What is GHSA-P7MV-53F2-4CWJ? GHSA-P7MV-53F2-4CWJ is a high-severity security vulnerability in github.com/cometbft/cometbft (go), affecting versions >= 0.38.0, < 0.38.15. It is fixed in 0.38.15.
  2. Which versions of github.com/cometbft/cometbft are affected by GHSA-P7MV-53F2-4CWJ? github.com/cometbft/cometbft (go) versions >= 0.38.0, < 0.38.15 is affected.
  3. Is there a fix for GHSA-P7MV-53F2-4CWJ? Yes. GHSA-P7MV-53F2-4CWJ is fixed in 0.38.15. Upgrade to this version or later.
  4. Is GHSA-P7MV-53F2-4CWJ exploitable, and should I be worried? Whether GHSA-P7MV-53F2-4CWJ is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  5. What actually determines whether GHSA-P7MV-53F2-4CWJ is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  6. How do I fix GHSA-P7MV-53F2-4CWJ? Upgrade github.com/cometbft/cometbft to 0.38.15 or later.

Other vulnerabilities in github.com/cometbft/cometbft

Stop the waste.
Protect your environment with Kodem.