PT-2025-39917 · Go-F3+1 · Go-F3+1
0Xnirix
·
Published
2025-09-29
·
Updated
2025-10-27
·
CVE-2025-59942
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
Name of the Vulnerable Software and Affected Versions
go-f3 versions 0.8.6 and earlier
Description
go-f3 is a Golang implementation of Fast Finality for Filecoin (F3). Versions 0.8.6 and below experience a panic when validating specific "poison" messages. These messages can trigger an integer overflow in the signer index validation, potentially causing Filecoin nodes consuming F3 messages to crash. The issue is not self-propagating, requiring an attacker to directly send the malicious message to target nodes. The
signer index validation process is susceptible to this issue.Recommendations
Upgrade to version 0.8.7 or later to address this issue.
Exploit
Fix
Integer Overflow
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Filecoin
Go-F3