CVE-2025-59942
BaseFortify
Publication date: 2025-09-29
Last updated on: 2025-10-18
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| filecoin | go-f3 | to 0.8.7 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-190 | The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in go-f3, a Golang implementation of Fast Finality for Filecoin. In versions 0.8.6 and below, go-f3 panics when it validates specially crafted "poison" messages. These messages cause an integer overflow in the signer index validation, which leads to the entire Filecoin node crashing. The malicious messages are not self-propagating, meaning an attacker must send them directly to each target node. The issue is fixed in version 0.8.7.
How can this vulnerability impact me? :
This vulnerability can cause a denial of service by crashing Filecoin nodes that consume go-f3 messages. An attacker can send crafted "poison" messages to cause integer overflow and crash the node, potentially disrupting the availability of the Filecoin service relying on these nodes.
What immediate steps should I take to mitigate this vulnerability?
Upgrade go-f3 to version 0.8.7 or later, as this version contains the fix for the vulnerability causing node crashes due to poison messages.