GHSA-R3R4-G7HQ-PQ4F

GHSA-R3R4-G7HQ-PQ4F is a high-severity security vulnerability in github.com/cometbft/cometbft (go), affecting versions >= 1.0.0-alpha.1, < 1.0.1. It is fixed in 1.0.1, 0.38.17.

Does this CVE actually affect you?

Kodem shows which CVEs are reachable and running in your applications, so you fix what's exploitable, not just what's listed.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Runtime intelligence, not another scanner.

Summary

CometBFT allows a malicious peer to stall the network by disseminating seemingly valid block parts

Name: ASA-2025-002: Malicious peer can stall network by disseminating seemingly valid block parts
Component: CometBFT
Criticality: High (Catastrophic Impact; Possible Likelihood per ACMv1.2)
Affected versions: <= v0.38.16, v1.0.0
Affected users: Validators, Full nodes, Users

Description

A bug was identified in the CometBFT validation of block part indices and the corresponding proof part indices that can lead to incorrect processing and dissemination of invalid parts, which in turn could lead to a network halt. Additional validation was added to prevent this condition from happening.

Workarounds

There are no known workarounds for this issue. If a node is producing these malicious proofs, the only mitigation is to upgrade CometBFT. After upgrading, the validators then will eventually conclude the correct value.

Technical Deep-Dive

When the next proposer creates a block, it is split into many block parts (64kB each). Each block part is then disseminated via p2p layer in a gossip fashion. The block part contains the following fields:

type Part struct {
	Index uint32            `json:"index"`
	Bytes cmtbytes.HexBytes `json:"bytes"`
	Proof merkle.Proof      `json:"proof"`
}
  • Index - represents the index of a block part
  • Bytes - the actual content
  • Proof - Merkle proof, which allows the receiving node to quickly verify that a Part is indeed a piece of the proposed block.

The Proof contains the following fields:

type Proof struct {
	Total    int64    `json:"total"`           // Total number of items.
	Index    int64    `json:"index"`           // Index of item to prove.
	LeafHash []byte   `json:"leaf_hash"`       // Hash of item value.
	Aunts    [][]byte `json:"aunts,omitempty"` // Hashes from leaf's sibling to a root's child.
}

Note that the total number of leaves in the Merkle tree equals the number of parts in the proposed block. Previously, CometBFT did not validate the Index field and specifically that Part.Index must be equal to Part.Proof.Index. This leads to a condition where, it is possible to use the proof from a different part and CometBFT accept it, even though the proof proves the different part is a piece of the proposed block and not the part that the peer actually sent to us.

This condition is problematic because:

  1. it would disseminate the invalid block part to its neighboring nodes (because it deemed it as correct)
  2. it would mark the block part as received and ask the neighboring nodes not to relay it in the future, making it impossible to receive the correct block part.

To address this, CometBFT was patched to verify that Part.Index is equal to Part.Proof.Index, preventing the above condition.

Timeline

  • January 15, 2025, 12:12pm PST: Issue reported to the Cosmos Bug Bounty program
  • January 15, 2025, 12:31pm PST: Issue triaged by Amulet on-call, and distributed to Core team
  • January 27, 2025, 11:28pm PST: Core team completes validation of issue
  • January 31, 2024, 2:15pm PST: Pre-notification delivered
  • February 3rd, 2024, 9:00am UTC+4: Patch made available

This issue was reported by unknown_feature to the Cosmos Bug Bounty Program on HackerOne on January 15, 2025. If you believe you have found a bug in the Interchain Stack or would like to contribute to the program by reporting a bug, please see https://hackerone.com/cosmos.

If you have questions about Interchain security efforts, please reach out to our official communication channel at [email protected]. For more information about the Interchain Foundation’s engagement with Amulet, and to sign up for security notification emails, please see https://github.com/interchainio/security.

A Github Security Advisory for this issue is available in the CometBFT repository. For more information about CometBFT, see https://docs.cometbft.com/.

Impact

Affected versions

github.com/cometbft/cometbft (>= 1.0.0-alpha.1, < 1.0.1) github.com/cometbft/cometbft (< 0.38.17)

Security releases

github.com/cometbft/cometbft → 1.0.1 (go) github.com/cometbft/cometbft → 0.38.17 (go)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

Already deployed Kodem?

See it in your environmentNew to Kodem? Get a demo →

Remediation advice

The new CometBFT releases v1.0.1 and v0.38.17 fix this issue.

Unreleased code in the main branch is patched as well.

Frequently Asked Questions

  1. What is GHSA-R3R4-G7HQ-PQ4F? GHSA-R3R4-G7HQ-PQ4F is a high-severity security vulnerability in github.com/cometbft/cometbft (go), affecting versions >= 1.0.0-alpha.1, < 1.0.1. It is fixed in 1.0.1, 0.38.17.
  2. Which versions of github.com/cometbft/cometbft are affected by GHSA-R3R4-G7HQ-PQ4F? github.com/cometbft/cometbft (go) versions >= 1.0.0-alpha.1, < 1.0.1 is affected.
  3. Is there a fix for GHSA-R3R4-G7HQ-PQ4F? Yes. GHSA-R3R4-G7HQ-PQ4F is fixed in 1.0.1, 0.38.17. Upgrade to this version or later.
  4. Is GHSA-R3R4-G7HQ-PQ4F exploitable, and should I be worried? Whether GHSA-R3R4-G7HQ-PQ4F is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  5. What actually determines whether GHSA-R3R4-G7HQ-PQ4F is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  6. How do I fix GHSA-R3R4-G7HQ-PQ4F?
    • Upgrade github.com/cometbft/cometbft to 1.0.1 or later
    • Upgrade github.com/cometbft/cometbft to 0.38.17 or later

Other vulnerabilities in github.com/cometbft/cometbft

Stop the waste.
Protect your environment with Kodem.