All the vulnerabilites related to filecoin-project - go-f3
cve-2025-59941
Vulnerability from cvelistv5
Published
2025-09-29 22:38
Modified
2025-09-30 14:13
Severity ?
EPSS score ?
Summary
go-f3 is Vulnerable to Cached Justification Verification Bypass
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| filecoin-project | go-f3 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-59941",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-30T14:13:50.946398Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-30T14:13:56.958Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "go-f3",
"vendor": "filecoin-project",
"versions": [
{
"status": "affected",
"version": "\u003c 0.8.9"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "go-f3 is a Golang implementation of Fast Finality for Filecoin (F3). In versions 0.8.8 and below, go-f3\u0027s justification verification caching mechanism has a vulnerability where verification results are cached without properly considering the context of the message. An attacker can bypass justification verification by submitting a valid message with a correct justification and then reusing the same cached justification in contexts where it would normally be invalid. This occurs because the cached verification does not properly validate the relationship between the justification and the specific message context it\u0027s being used with. This issue is fixed in version 0.8.9."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-305",
"description": "CWE-305: Authentication Bypass by Primary Weakness",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T22:38:42.589Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/filecoin-project/go-f3/security/advisories/GHSA-7pq9-rf9p-wcrf",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/filecoin-project/go-f3/security/advisories/GHSA-7pq9-rf9p-wcrf"
},
{
"name": "https://github.com/filecoin-project/go-f3/commit/76fff18cf07b21baccf537024bdb2fb41f75f6e2#diff-e1f646cea41790e1642e4e649c9e3c526344736d67222201703e1c29c23e9625",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/filecoin-project/go-f3/commit/76fff18cf07b21baccf537024bdb2fb41f75f6e2#diff-e1f646cea41790e1642e4e649c9e3c526344736d67222201703e1c29c23e9625"
}
],
"source": {
"advisory": "GHSA-7pq9-rf9p-wcrf",
"discovery": "UNKNOWN"
},
"title": "go-f3 is Vulnerable to Cached Justification Verification Bypass"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-59941",
"datePublished": "2025-09-29T22:38:42.589Z",
"dateReserved": "2025-09-23T14:33:49.505Z",
"dateUpdated": "2025-09-30T14:13:56.958Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2025-59942
Vulnerability from cvelistv5
Published
2025-09-29 22:50
Modified
2025-09-30 13:51
Severity ?
EPSS score ?
Summary
go-f3 module vulnerable to integer overflow leading to panic
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/filecoin-project/go-f3/security/advisories/GHSA-g99p-47x7-mq88 | x_refsource_CONFIRM |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| filecoin-project | go-f3 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-59942",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-30T13:51:07.416536Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-30T13:51:13.530Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "go-f3",
"vendor": "filecoin-project",
"versions": [
{
"status": "affected",
"version": "\u003c 0.8.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "go-f3 is a Golang implementation of Fast Finality for Filecoin (F3). In versions 0.8.6 and below, go-f3 panics when it validates a \"poison\" messages causing Filecoin nodes consuming F3 messages to become vulnerable. A \"poison\" message can can cause integer overflow in the signer index validation, which can cause the whole node to crash. These malicious messages aren\u0027t self-propagating since the bug is in the validator. An attacker needs to directly send the message to all targets. This issue is fixed in version 0.8.7."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-190",
"description": "CWE-190: Integer Overflow or Wraparound",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T22:50:36.462Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/filecoin-project/go-f3/security/advisories/GHSA-g99p-47x7-mq88",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/filecoin-project/go-f3/security/advisories/GHSA-g99p-47x7-mq88"
}
],
"source": {
"advisory": "GHSA-g99p-47x7-mq88",
"discovery": "UNKNOWN"
},
"title": "go-f3 module vulnerable to integer overflow leading to panic"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-59942",
"datePublished": "2025-09-29T22:50:36.462Z",
"dateReserved": "2025-09-23T14:33:49.505Z",
"dateUpdated": "2025-09-30T13:51:13.530Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}