CVE-2025-59941

EPSS 0.04%
Veröffentlicht 29.09.2025 23:15:32
Zuletzt bearbeitet 18.10.2025 01:21:51
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

go-f3 is a Golang implementation of Fast Finality for Filecoin (F3). In versions 0.8.8 and below, go-f3's justification verification caching mechanism has a vulnerability where verification results are cached without properly considering the context of the message. An attacker can bypass justification verification by submitting a valid message with a correct justification and then reusing the same cached justification in contexts where it would normally be invalid. This occurs because the cached verification does not properly validate the relationship between the justification and the specific message context it's being used with. This issue is fixed in version 0.8.9.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Filecoin ≫ Go-f3 Version < 0.8.9

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.04%	0.123

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	6.5	2.2	4.2	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L
security-advisories@github.com	5.9	1.6	4.2	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:L

CWE-305 Authentication Bypass by Primary Weakness

The authentication algorithm is sound, but the implemented mechanism can be bypassed as the result of a separate weakness that is primary to the authentication error.

https://github.com/filecoin-project/go-f3/commit/76fff18cf07b21baccf537024bdb2fb41f75f6e2#diff-e1f646cea41790e1642e4e649c9e3c526344736d67222201703e1c29c23e9625

Patch

https://github.com/filecoin-project/go-f3/security/advisories/GHSA-7pq9-rf9p-wcrf

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2025-59941

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-59941

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-59941

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2025-59941