High severityNVD Advisory· Published Jan 30, 2025· Updated Apr 15, 2026
CVE-2025-24883
CVE-2025-24883
Description
go-ethereum (geth) is a golang execution layer implementation of the Ethereum protocol. A vulnerable node can be forced to shutdown/crash using a specially crafted message. This vulnerability is fixed in 1.14.13.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/ethereum/go-ethereumGo | >= 1.14.0, < 1.14.13 | 1.14.13 |
Patches
3eb00f1694c92fa9a2ff8687ecrypto: add IsOnCurve check (#31100)
1 file changed · +3 −0
crypto/crypto.go+3 −0 modified@@ -178,6 +178,9 @@ func UnmarshalPubkey(pub []byte) (*ecdsa.PublicKey, error) { if x == nil { return nil, errInvalidPubkey } + if !S256().IsOnCurve(x, y) { + return nil, errInvalidPubkey + } return &ecdsa.PublicKey{Curve: S256(), X: x, Y: y}, nil }
159fb1a1db55crypto: add IsOnCurve check (#31100)
1 file changed · +3 −0
crypto/crypto.go+3 −0 modified@@ -178,6 +178,9 @@ func UnmarshalPubkey(pub []byte) (*ecdsa.PublicKey, error) { if x == nil { return nil, errInvalidPubkey } + if !S256().IsOnCurve(x, y) { + return nil, errInvalidPubkey + } return &ecdsa.PublicKey{Curve: S256(), X: x, Y: y}, nil }
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-q26p-9cq4-7fc2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-24883ghsaADVISORY
- github.com/ethereum/go-ethereum/commit/159fb1a1db551c544978dc16a5568a4730b4abf3ghsaWEB
- github.com/ethereum/go-ethereum/commit/fa9a2ff8687ec9efe57b4b9833d5590d20f8a83fnvdWEB
- github.com/ethereum/go-ethereum/security/advisories/GHSA-q26p-9cq4-7fc2nvdWEB
- pkg.go.dev/vuln/GO-2025-3436ghsaWEB
News mentions
0No linked articles in our index yet.