CVE-2025-59942
Unknown Unknown - Not Provided

BaseFortify

Vulnerability report for CVE-2025-59942, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2025-09-29

Last updated on: 2025-10-18

Assigner: GitHub, Inc.

Description

go-f3 is a Golang implementation of Fast Finality for Filecoin (F3). In versions 0.8.6 and below, go-f3 panics when it validates a "poison" messages causing Filecoin nodes consuming F3 messages to become vulnerable. A "poison" message can can cause integer overflow in the signer index validation, which can cause the whole node to crash. These malicious messages aren't self-propagating since the bug is in the validator. An attacker needs to directly send the message to all targets. This issue is fixed in version 0.8.7.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2025-09-29
Last Modified
2025-10-18
Generated
2026-07-06
AI Q&A
2025-09-30
EPSS Evaluated
2026-07-05
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
filecoin go-f3 to 0.8.7 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-190 The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in go-f3, a Golang implementation of Fast Finality for Filecoin. In versions 0.8.6 and below, go-f3 panics when it validates specially crafted "poison" messages. These messages cause an integer overflow in the signer index validation, which leads to the entire Filecoin node crashing. The malicious messages are not self-propagating, meaning an attacker must send them directly to each target node. The issue is fixed in version 0.8.7.

Impact Analysis

This vulnerability can cause a denial of service by crashing Filecoin nodes that consume go-f3 messages. An attacker can send crafted "poison" messages to cause integer overflow and crash the node, potentially disrupting the availability of the Filecoin service relying on these nodes.

Mitigation Strategies

Upgrade go-f3 to version 0.8.7 or later, as this version contains the fix for the vulnerability causing node crashes due to poison messages.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-59942. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart