{"id":"GO-2025-3442","summary":"CometBFT allows a malicious peer to make node stuck in blocksync in github.com/cometbft/cometbft","details":"CometBFT allows a malicious peer to make node stuck in blocksync in github.com/cometbft/cometbft","aliases":["CVE-2025-24371","GHSA-22qq-3xwm-r5x4"],"modified":"2026-03-17T04:51:48.927775Z","published":"2025-02-04T22:06:13Z","database_specific":{"url":"https://pkg.go.dev/vuln/GO-2025-3442","review_status":"REVIEWED"},"references":[{"type":"ADVISORY","url":"https://github.com/cometbft/cometbft/security/advisories/GHSA-22qq-3xwm-r5x4"},{"type":"FIX","url":"https://github.com/cometbft/cometbft/commit/0ee80cd609c7ae9fe856bdd1c6d38553fdae90ce"},{"type":"FIX","url":"https://github.com/cometbft/cometbft/commit/2cebfde06ae5073c0b296a9d2ca6ab4b95397ea5"},{"type":"WEB","url":"https://github.com/cometbft/cometbft/releases/tag/v0.38.17"},{"type":"WEB","url":"https://github.com/cometbft/cometbft/releases/tag/v1.0.1"}],"affected":[{"package":{"name":"github.com/cometbft/cometbft","ecosystem":"Go","purl":"pkg:golang/github.com/cometbft/cometbft"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"0.38.17"}]}],"ecosystem_specific":{"imports":[{"symbols":["BlockPool.SetPeerRange","Reactor.Receive"],"path":"github.com/cometbft/cometbft/blocksync"}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2025-3442.json"}},{"package":{"name":"github.com/cometbft/cometbft","ecosystem":"Go","purl":"pkg:golang/github.com/cometbft/cometbft"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.0.1"}]}],"ecosystem_specific":{"imports":[{"path":"github.com/cometbft/cometbft/internal/blocksync","symbols":["BlockPool.SetPeerRange","Reactor.Receive"]}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2025-3442.json"}}],"schema_version":"1.7.5"}