CVE-2025-59942
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-29

Last updated on: 2025-10-18

Assigner: GitHub, Inc.

Description
go-f3 is a Golang implementation of Fast Finality for Filecoin (F3). In versions 0.8.6 and below, go-f3 panics when it validates a "poison" messages causing Filecoin nodes consuming F3 messages to become vulnerable. A "poison" message can can cause integer overflow in the signer index validation, which can cause the whole node to crash. These malicious messages aren't self-propagating since the bug is in the validator. An attacker needs to directly send the message to all targets. This issue is fixed in version 0.8.7.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-29
Last Modified
2025-10-18
Generated
2026-06-16
AI Q&A
2025-09-30
EPSS Evaluated
2026-06-14
NVD
CVE-2025-59942
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
filecoin go-f3 to 0.8.7 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-190 The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in go-f3, a Golang implementation of Fast Finality for Filecoin. In versions 0.8.6 and below, go-f3 panics when it validates specially crafted "poison" messages. These messages cause an integer overflow in the signer index validation, which leads to the entire Filecoin node crashing. The malicious messages are not self-propagating, meaning an attacker must send them directly to each target node. The issue is fixed in version 0.8.7.

Impact Analysis

This vulnerability can cause a denial of service by crashing Filecoin nodes that consume go-f3 messages. An attacker can send crafted "poison" messages to cause integer overflow and crash the node, potentially disrupting the availability of the Filecoin service relying on these nodes.

Mitigation Strategies

Upgrade go-f3 to version 0.8.7 or later, as this version contains the fix for the vulnerability causing node crashes due to poison messages.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-59942. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart