go-f3 module vulnerable to integer overflow leading to panic
Description
go-f3 is a Golang implementation of Fast Finality for Filecoin (F3). In versions 0.8.6 and below, go-f3 panics when it validates a "poison" messages causing Filecoin nodes consuming F3 messages to become vulnerable. A "poison" message can can cause integer overflow in the signer index validation, which can cause the whole node to crash. These malicious messages aren't self-propagating since the bug is in the validator. An attacker needs to directly send the message to all targets. This issue is fixed in version 0.8.7.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Integer overflow in go-f3 signer index validation causes panic on poison messages, enabling denial-of-service on Filecoin nodes.
Vulnerability
Overview
go-f3, the Golang implementation of Fast Finality for Filecoin (F3), contains a vulnerability in versions 0.8.6 and below where a specially crafted "poison" message triggers an integer overflow during signer index validation. This overflow causes a panic in the validator, crashing the consuming node. The bug was discovered through a combination of a bug bounty report and further internal investigation [1][3].
Exploitation
Conditions
An attacker must directly send the poison message to each target node; the vulnerability does not self-propagate because the flaw resides in the validator, not in message propagation [3]. There are no authentication or power requirements—any attacker capable of sending messages to a node's F3 interface can exploit this [3].
Impact
Successful exploitation causes the target node to panic and crash, resulting in a denial-of-service (DoS) condition. For Lotus nodes, this crash affects the entire node, disrupting Filecoin network participation [3]. No other impacts (e.g., data corruption or remote code execution) are described in the primary sources.
Mitigation
The fix was merged and released in go-f3 version 0.8.7, which adds proper overflow checking using math.MaxInt64 and returns an error instead of panicking [3]. All Filecoin node software (Lotus, Forest, Venus) have adopted this fix as part of the nv27 network upgrade. There are no viable workarounds; upgrading to the patched version is required [3].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/filecoin-project/go-f3Go | < 0.8.7 | 0.8.7 |
Affected products
2<=0.8.6+ 1 more
- (no CPE)range: <=0.8.6
- (no CPE)range: < 0.8.7
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-g99p-47x7-mq88ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-59942ghsaADVISORY
- github.com/filecoin-project/go-f3/security/advisories/GHSA-g99p-47x7-mq88ghsax_refsource_CONFIRMWEB
- pkg.go.dev/vuln/GO-2025-3990ghsaWEB
News mentions
0No linked articles in our index yet.