GHSA-22qq-3xwm-r5x4
CometBFT allows a malicious peer to make node stuck in blocksync
EPSS Exploitation Probability
EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.
Blast Radius
github.com/cometbft/cometbft🐹github.com/cometbft/cometbftReal-time download stats are indexed for npm and PyPI packages. This vulnerability affects Go packages — download data is not available via public APIs for these ecosystems.
Description
Name: ASA-2025-001: Malicious peer can disrupt node's ability to sync via blocksync Component: CometBFT [OUTDATED] Criticality: Medium (Considerable Impact; Possible Likelihood per ACMv1.2) Update of Criticality on 2026-03-06: We've made a mistake and over-rated the criticality of this bug in our initial triage. We have calibrated our vulnerability rating internally and updated the criticality of this bug to be Informational (Negligible Impact, Possible Likelihood) Affected versions: <= v0.38.16, v1.0.0 Affected users: Validators, Full nodes
Impact
A malicious peer may be able to interfere with a node's ability to sync blocks with peers via the blocksync mechanism.
In the blocksync protocol peers send their base and latest heights when they connect to a new node (A), which is syncing to the tip of a network. base acts as a lower ground and informs A that the peer only has blocks starting from height base. latest height informs A about the latest block in a network. Normally, nodes would only report increasing heights:
B: {base: 100, latest: 1000}
B: {base: 100, latest: 1001}
B: {base: 100, latest: 1002}
...
If B fails to provide the latest block, B is removed and the latest height (target height) is recalculated based on other nodes latest heights.
The existing code hovewer doesn't check for the case where B first reports latest height X and immediately after height Y, where X > Y. For example:
B: {base: 100, latest: 2000}
B: {base: 100, latest: 1001}
B: {base: 100, latest: 1002}
...
A will be trying to catch up to 2000 indefinitely. Even if B disconnects, the latest height (target height) won't be recalculated because A "doesn't know where 2000" came from per see.
Impact Qualification
This condition requires the introduction of malicious code in the full node first reporting a non-existing latest height, then reporting lower latest height and nodes which are syncing using blocksync protocol.
Patches
The new CometBFT releases v1.0.1 and v0.38.17 fix this issue.
Unreleased code in the main is patched as well.
Workarounds
When the operator notices blocksync is stuck, they can identify the peer from which that message with "invalid" height was received. This may require increasing the logging level of the blocksync module. This peer can then be subsequently banned at the p2p layer as a temporary mitigation.
References
If you have questions about Interchain security efforts, please reach out to our official communication channel at [email protected]. For more information about the Interchain Foundation’s engagement with Amulet, and to sign up for security notification emails, please see https://github.com/interchainio/security.
A Github Security Advisory for this issue is available in the CometBFT repository. For more information about CometBFT, see https://docs.cometbft.com/.
EDIT:
Please notice that this has been updated to be informational severity. This can be avoided by ensuring that one is not connected to a malicious peer during blocksync.
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 🐹Go | github.com/cometbft/cometbft | ≥ 1.0.0-alpha.1&&< 1.0.1 | 1.0.1 |
| 🐹Go | github.com/cometbft/cometbft | all versions | 0.38.17 |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for github.com/cometbft/cometbft. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update github.com/cometbft/cometbft to 1.0.1 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-22qq-3xwm-r5x4 is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-22qq-3xwm-r5x4 is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-22qq-3xwm-r5x4. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-22qq-3xwm-r5x4 in your dependencies?
O3 detects GHSA-22qq-3xwm-r5x4 across Go dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.