GHSA-QV97-5QR8-2266

GHSA-QV97-5QR8-2266 is a medium-severity security vulnerability in mithril-client (rust), affecting versions < 0.12.2. It is fixed in 0.12.2.

Summary

Mithril certification of Cardano database

The Mithril network provides certification for snapshots of the Cardano database, enabling users to quickly bootstrap a Cardano node without relying on the slower peer-to-peer synchronization process.

To generate a multi-signature, a minimum threshold of Cardano stake registered in the protocol must agree on signing the same message. In this context, a digest is computed from the internal files of the Cardano node's database. However, this mechanism has certain limitations. Specifically, some files are not identically generated across all Cardano nodes, and there is no API to provide consistent snapshots at a specific beacon on the Cardano chain:

  • All immutable files, except the last one (which is still being created), are used to compute the message
  • The last immutable file is excluded from the signature
  • The ledger state files are also excluded from the signature.

Cardano node startup sequence

A Cardano node can only perform a fast bootstrap if a pre-computed ledger state is loaded into its database; otherwise, a full re-computation is required, which is time-consuming. During the startup phase with a pre-computed ledger state, the node performs structural verification of the ledger state and lightweight conformity checks which may not be enough to systematically detect invalid ledger state.

Attack scenarios

Inconsistencies could be introduced into a tampered ledger state distributed through Mithril snapshots, either by an unknown source or by a compromised IOG-operated aggregator. These inconsistencies would not be immediately detected by Cardano nodes started with such snapshots, potentially enabling long-range attacks that might not be corrected by honest nodes, even if they sync from genesis.

Currently, a Mithril network has only one aggregator, which serves snapshots from a secure cloud location operated by IOG and is therefore assumed to be trustworthy. In the future, as Mithril networks become more decentralized, multiple aggregators will operate independently. This increased decentralization could raise the risk of a malicious aggregator distributing a tampered ledger state.

References

Impact

GHSA-QV97-5QR8-2266 has a CVSS score of 4.9 (Medium). The vector is network-reachable, low privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (0.12.2); upgrading removes the vulnerable code path.

Affected versions

mithril-client (< 0.12.2)

Security releases

mithril-client → 0.12.2 (rust)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

As a mitigation, the Mithril aggregator now signs the ledger state snapshot and the latest immutable file using an IOG-owned key, and the client library and CLI validate the signature of these files upon download.

  • The Mithril client library has been fixed with version 0.12.2, previous versions must not be used anymore.
  • The Mithril client CLI has been fixed with version 0.12.1, previous versions must not be used anymore.
  • The Mithril aggregator has been fixed with version 0.7.44, previous versions must not be used anymore.

Frequently Asked Questions

  1. What is GHSA-QV97-5QR8-2266? GHSA-QV97-5QR8-2266 is a medium-severity security vulnerability in mithril-client (rust), affecting versions < 0.12.2. It is fixed in 0.12.2.
  2. How severe is GHSA-QV97-5QR8-2266? GHSA-QV97-5QR8-2266 has a CVSS score of 4.9 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of mithril-client are affected by GHSA-QV97-5QR8-2266? mithril-client (rust) versions < 0.12.2 is affected.
  4. Is there a fix for GHSA-QV97-5QR8-2266? Yes. GHSA-QV97-5QR8-2266 is fixed in 0.12.2. Upgrade to this version or later.
  5. Is GHSA-QV97-5QR8-2266 exploitable, and should I be worried? Whether GHSA-QV97-5QR8-2266 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether GHSA-QV97-5QR8-2266 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix GHSA-QV97-5QR8-2266? Upgrade mithril-client to 0.12.2 or later.

Other vulnerabilities in mithril-client

Stop the waste.
Protect your environment with Kodem.