CVE-2025-24371
Description
CometBFT is a distributed, Byzantine fault-tolerant, deterministic state machine replication engine. In the blocksync protocol peers send their base and latest heights when they connect to a new node (A), which is syncing to the tip of a network. base acts as a lower ground and informs A that the peer only has blocks starting from height base. latest height informs A about the latest block in a network. Normally, nodes would only report increasing heights. If B fails to provide the latest block, B is removed and the latest height (target height) is recalculated based on other nodes latest heights. The existing code however doesn't check for the case where B first reports latest height X and immediately after height Y, where X > Y. A will be trying to catch up to 2000 indefinitely. This condition requires the introduction of malicious code in the full node first reporting some non-existing latest height, then reporting lower latest height and nodes which are syncing using blocksync protocol. This issue has been patched in versions 1.0.1 and 0.38.17 and all users are advised to upgrade. Operators may attempt to ban malicious peers from the network as a workaround.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/cometbft/cometbftGo | >= 1.0.0-alpha.1, < 1.0.1 | 1.0.1 |
github.com/cometbft/cometbftGo | < 0.38.17 | 0.38.17 |
Affected products
5- ghsa-coords4 versionspkg:golang/github.com/cometbft/cometbftpkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Tumbleweedpkg:rpm/suse/govulncheck-vulndb&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP6
>= 1.0.0-alpha.1, < 1.0.1+ 3 more
- (no CPE)range: >= 1.0.0-alpha.1, < 1.0.1
- (no CPE)range: < 0.0.20250207T224745-150000.1.32.1
- (no CPE)range: < 0.0.20250204T220613-1.1
- (no CPE)range: < 0.0.20250207T224745-150000.1.32.1
Patches
Vulnerability mechanics
References
8- github.com/advisories/GHSA-22qq-3xwm-r5x4ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-24371ghsaADVISORY
- github.com/cometbft/cometbft/commit/0ee80cd609c7ae9fe856bdd1c6d38553fdae90ceghsaWEB
- github.com/cometbft/cometbft/commit/2cebfde06ae5073c0b296a9d2ca6ab4b95397ea5ghsaWEB
- github.com/cometbft/cometbft/releases/tag/v0.38.17nvdWEB
- github.com/cometbft/cometbft/releases/tag/v1.0.1nvdWEB
- github.com/cometbft/cometbft/security/advisories/GHSA-22qq-3xwm-r5x4nvdWEB
- pkg.go.dev/vuln/GO-2025-3442ghsaWEB
News mentions
1- ⚡ Weekly Recap: Fast16 Malware, XChat Launch, Federal Backdoor, AI Employee Tracking & MoreThe Hacker News · Apr 27, 2026