x/vulndb: potential Go vuln in github.com/filecoin-project/go-f3: GHSA-7pq9-rf9p-wcrf #3989
Description
Advisory GHSA-7pq9-rf9p-wcrf references a vulnerability in the following Go modules:
| Module |
|---|
| github.com/filecoin-project/go-f3 |
Description:
Description
A vulnerability exists in go-f3's justification verification caching mechanism where verification results are cached without properly considering the context of the message. An attacker can bypass justification verification by:
- First submitting a valid message with a correct justification
- Then reusing the same cached justification in contexts where it would normally be invalid
This occurs because the cached verification does not properly validate the relationship between the justification and the specific message context it's being used with.
Impact
- Potential cons...
References:
- ADVISORY: GHSA-7pq9-rf9p-wcrf
- ADVISORY: GHSA-7pq9-rf9p-wcrf
No existing reports found with this module or alias.
See doc/quickstart.md for instructions on how to triage this report.
id: GO-ID-PENDING
modules:
- module: github.com/filecoin-project/go-f3
versions:
- fixed: 0.8.9
vulnerable_at: 0.8.8
summary: go-f3 Vulnerable to Cached Justification Verification Bypass in github.com/filecoin-project/go-f3
cves:
- CVE-2025-59941
ghsas:
- GHSA-7pq9-rf9p-wcrf
references:
- advisory: https://github.com/advisories/GHSA-7pq9-rf9p-wcrf
- advisory: https://github.com/filecoin-project/go-f3/security/advisories/GHSA-7pq9-rf9p-wcrf
source:
id: GHSA-7pq9-rf9p-wcrf
created: 2025-09-29T21:01:12.472093933Z
review_status: UNREVIEWED