High severityNVD Advisory· Published Sep 29, 2025· Updated Sep 30, 2025
go-f3 module vulnerable to integer overflow leading to panic
CVE-2025-59942
Description
go-f3 is a Golang implementation of Fast Finality for Filecoin (F3). In versions 0.8.6 and below, go-f3 panics when it validates a "poison" messages causing Filecoin nodes consuming F3 messages to become vulnerable. A "poison" message can can cause integer overflow in the signer index validation, which can cause the whole node to crash. These malicious messages aren't self-propagating since the bug is in the validator. An attacker needs to directly send the message to all targets. This issue is fixed in version 0.8.7.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/filecoin-project/go-f3Go | < 0.8.7 | 0.8.7 |
Affected products
5- ghsa-coords4 versionspkg:golang/github.com/filecoin-project/go-f3pkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Tumbleweedpkg:rpm/suse/govulncheck-vulndb&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP6
< 0.8.7+ 3 more
- (no CPE)range: < 0.8.7
- (no CPE)range: < 0.0.20251023T162509-150000.1.110.1
- (no CPE)range: < 0.0.20251023T162509-1.1
- (no CPE)range: < 0.0.20251023T162509-150000.1.110.1
- Range: < 0.8.7
Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-g99p-47x7-mq88ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-59942ghsaADVISORY
- github.com/filecoin-project/go-f3/security/advisories/GHSA-g99p-47x7-mq88ghsax_refsource_CONFIRMWEB
- pkg.go.dev/vuln/GO-2025-3990ghsaWEB
News mentions
0No linked articles in our index yet.