GHSA-wwx5-gpgr-vxr7
ismp-grandpa crate accepted incorrect signatures
EPSS Exploitation Probability
EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.
Blast Radius
ismp-grandpa🦀grandpa-verifier-primitives🦀grandpa-verifierReal-time download stats are indexed for npm and PyPI packages. This vulnerability affects crates.io packages — download data is not available via public APIs for these ecosystems.
Description
A critical vulnerability was discovered in the ismp-grandpa crate, that allowed a malicious prover easily convince the verifier of the finality of arbitrary headers.
Description
The vulnerability manifests as a verifer that only accepts incorrect signatures of Grandpa precommits and was introduced in this specific commit. Perhaps due to unfamiliarity with core substrate APIs. The if statement should have included a negation check, similar to the previous code, but this was omitted. Causing the verifier to only accept invalid signatures.
This vulnerability remained undetected even with integration tests, as the prover was also misconfigured to initialize the Grandpa verifier with the incorrect authority set_id. This causes verification of honest precommit signatures to fail as the message is now malformed, but the verifier indeed only accepts signatures or messages that fail the verification check.
But even more devastatingly, the verifier will also accept malicious GRANDPA signatures for any precommit message.
This vulnerability has been fixed in this commit and a patch release has been published.
Impact
This could be used to steal funds or compromise other kinds of cross-chain applications.
Patches
This vulnerability has been fixed in the latest version of ismp-granpda v15.0.1
Recommendations
Users who rely on the compromised versions must upgrade immediately, as all vulnerable versions of the crate has been yanked.
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 🦀crates.io | ismp-grandpa | all versions | 15.0.1 |
| 🦀crates.io | grandpa-verifier-primitives | all versions | 0.1.2 |
| 🦀crates.io | grandpa-verifier | all versions | 0.1.2 |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for ismp-grandpa. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update ismp-grandpa to 15.0.1 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-wwx5-gpgr-vxr7 is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-wwx5-gpgr-vxr7 is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-wwx5-gpgr-vxr7. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-wwx5-gpgr-vxr7 in your dependencies?
O3 detects GHSA-wwx5-gpgr-vxr7 across crates.io dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.