CVE-2025-24371

Name of the Vulnerable Software and Affected Versions CometBFT versions prior to 0.38.17 CometBFT versions prior to 1.0.1

Description CometBFT is a distributed, Byzantine fault-tolerant, deterministic state machine replication engine. In the blocksync protocol, peers send their base and latest heights when they connect to a new node, which is syncing to the tip of a network. The existing code doesn't check for the case where a peer first reports a latest height X and immediately after height Y, where X > Y. This condition requires the introduction of malicious code in the full node first reporting a non-existing latest height, then reporting a lower latest height, and nodes that are syncing using the blocksync protocol.

Recommendations For versions prior to 0.38.17, upgrade to version 0.38.17 or later. For versions prior to 1.0.1, upgrade to version 1.0.1 or later. As a temporary workaround, operators may attempt to ban malicious peers from the network.