Description
Advisory CVE-2025-24371 references a vulnerability in the following Go modules:
| Module |
|---|
| github.com/cometbft/cometbft |
Description:
CometBFT is a distributed, Byzantine fault-tolerant, deterministic state machine replication engine. In the blocksync protocol peers send their base and latest heights when they connect to a new node (A), which is syncing to the tip of a network. base acts as a lower ground and informs A that the peer only has blocks starting from height base. latest height informs A about the latest block in a network. Normally, nodes would only report increasing heights. If B fails to provide the latest block, B is removed and the latest height (target height) is recalculated based on...
References:
- ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2025-24371
- WEB: https://github.com/cometbft/cometbft/releases/tag/v0.38.17
- WEB: https://github.com/cometbft/cometbft/releases/tag/v1.0.1
- WEB: GHSA-22qq-3xwm-r5x4
Cross references:
- github.com/cometbft/cometbft appears in 8 other report(s):
- data/excluded/GO-2023-2092.yaml (x/vulndb: potential Go vuln in github.com/cometbft/cometbft: GHSA-hq58-p9mv-338c #2092) NOT_A_VULNERABILITY
- data/excluded/GO-2024-2585.yaml (x/vulndb: potential Go vuln in github.com/cometbft/cometbft: GHSA-555p-m4v6-cqxv #2585) NOT_A_VULNERABILITY
- data/reports/GO-2023-1882.yaml (x/vulndb: potential Go vuln in github.com/cometbft/cometbft: CVE-2023-34450 #1882)
- data/reports/GO-2023-1883.yaml (x/vulndb: potential Go vuln in github.com/cometbft/cometbft: CVE-2023-34451 #1883)
- data/reports/GO-2024-2471.yaml (x/vulndb: potential Go vuln in github.com/cometbft/cometbft: GHSA-qr8r-m495-7hc4 #2471)
- data/reports/GO-2024-2951.yaml (x/vulndb: potential Go vuln in github.com/cometbft/cometbft: GHSA-hg58-rf2h-6rr7 #2951)
- data/reports/GO-2024-3112.yaml (x/vulndb: potential Go vuln in github.com/cometbft/cometbft/light: GHSA-g5xx-c4hv-9ccc #3112)
- data/reports/GO-2024-3259.yaml (x/vulndb: potential Go vuln in github.com/cometbft/cometbft: GHSA-p7mv-53f2-4cwj #3259)
See doc/quickstart.md for instructions on how to triage this report.
id: GO-ID-PENDING
modules:
- module: github.com/cometbft/cometbft
vulnerable_at: 1.0.1
summary: CVE-2025-24371 in github.com/cometbft/cometbft
cves:
- CVE-2025-24371
references:
- advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-24371
- web: https://github.com/cometbft/cometbft/releases/tag/v0.38.17
- web: https://github.com/cometbft/cometbft/releases/tag/v1.0.1
- web: https://github.com/cometbft/cometbft/security/advisories/GHSA-22qq-3xwm-r5x4
source:
id: CVE-2025-24371
created: 2025-02-03T23:01:32.087082518Z
review_status: UNREVIEWED