N/A

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-hrhf-2vcr-ghch

EPSS Score

CWE

CWE-228

Published

10/14/2025

Updated

10/14/2025

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-hrhf-2vcr-ghch

GHSA-hrhf-2vcr-ghch: CometBFT's invalid BitArray handling can lead to network halt

Name: ASA-2025-003: Invalid BitArray handling can lead to network halt Criticality: High (Considerable Impact; Possible Likelihood per ACMv1.2) Affected versions: <= v0.38.18, <= v0.37.15, and main development branches Affected users: Validators, Full nodes, Users

Description

A bug was discovered in CometBFT's handling of BitArray's that have a mismatch between the BitArray's expected number of Elems for the specified number of Bits. Additional validation was added to prevent processing BitArray's in this invalid state, as well as guards to prevent panics on BitArray methods if one of these invalid states is processed.

Impact

BitArray's are present in a number of messages received from peers. When handling these messages, insufficient validation was applied to prevent processing messages the aforementioned invalid state. In the worst case, nodes will gossip messages to peers in an invalid state before processing them themselves, leading to a network halt (instead of only the node receiving the malicious message crashing).

Patches

The new CometBFT releases v0.38.19 and v0.37.16 fix this issue.

Unreleased code in the main branch is patched as well.

Workarounds

If a node is able to identify a malicious peer sending these payloads, they can ban the ip address using common tools like iptables.

Timeline

October 3, 2025, 11:26am EST: Issue reported to Cosmos Labs via an external team (via their Bug Bounty Program).
October 3, 2025, 11:59am EST: Issue triaged by core team and core team completes validation of issue.
October 6, 2025, 11:14pm EST: Issue reported to the Cosmos Bug Bounty Program (by original white hat reporter).
October 9, 2025, 11:15am EST: Pre-notification delivered.
October 10, 2025, 11:37am EST: Core team completes patch for the issue.
October 14, 2025, 11:00am EST: Patch made available.

This issue was reported by @whoismxuse to the Cosmos Bug Bounty Program on HackerOne on October 6, 2025. If you believe you have found a bug in the Cosmos Stack or would like to contribute to the program by reporting a bug, please see https://hackerone.com/cosmos.

If there are questions about Cosmos security efforts, please reach out to our official communication channel at security@cosmoslabs.io.

A Github Security Advisory for this issue is available in the CometBFT repository. For more information about CometBFT, see https://docs.cometbft.com/.

(GitHub Advisory)

N/A

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-hrhf-2vcr-ghch

EPSS Score

CWE

CWE-228

Published

10/14/2025

Updated

10/14/2025

KEV Status

Technology

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/cometbft/cometbft	go	<= 0.37.15	0.37.16
github.com/cometbft/cometbft	go	>= 0.38.0-alpha.1, <= 0.38.18	0.38.19

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability exists in CometBFT's handling of the BitArray data structure, which is used in various peer-to-peer messages. The root cause is a failure to validate that the BitArray's internal state is consistent, specifically that the length of its Elems slice (which holds the bit data) corresponds correctly to the number of Bits it claims to represent.

An attacker can craft a network message, such as NewValidBlockMessage, ProposalPOLMessage, or VoteSetBitsMessage, containing a BitArray with this inconsistency. The analysis of the patches shows that the ValidateBasic methods for these message types in consensus/reactor.go were missing the necessary validation for their BitArray fields.

When a vulnerable node receives such a message, it accepts the malformed BitArray. Subsequent operations on this BitArray, such as those performed by bits.BitArray.setIndex or bits.BitArray.getNumTrueIndices, would then result in an out-of-bounds memory access, causing the node process to panic and crash. Because these messages are gossiped to other peers before being fully processed, the vulnerability could be used to trigger a cascading failure across the network, leading to a halt.

The patches rectify this by first introducing a ValidateBasic method on the BitArray type itself to check for the inconsistency. Secondly, they add calls to this new validation method within the ValidateBasic methods of the message types that carry BitArrays, ensuring that invalid messages are rejected upon receipt. Finally, defensive guards were added to the internal BitArray methods (setIndex, getNumTrueIndices) as a secondary protection against panics.

Vulnerable functions

consensus.NewValidBlockMessage.ValidateBasic

consensus/reactor.go

This function processes `NewValidBlockMessage` messages from peers. Prior to the patch, it did not validate the consistency of the `BlockParts` BitArray, allowing a malformed BitArray to be processed, which could lead to a panic. The patch adds a call to `m.BlockParts.ValidateBasic()` to prevent this.

consensus.ProposalPOLMessage.ValidateBasic

consensus/reactor.go

This function processes `ProposalPOLMessage` messages from peers. Prior to the patch, it did not validate the `ProposalPOL` BitArray. An attacker could send a message with an invalid BitArray, causing the node to crash. The patch introduces a call to `m.ProposalPOL.ValidateBasic()`.

consensus.VoteSetBitsMessage.ValidateBasic

consensus/reactor.go

This function processes `VoteSetBitsMessage` messages from peers. It was vulnerable because it failed to validate the `Votes` BitArray, allowing a maliciously crafted message to cause a panic. The fix was to add a call to `m.Votes.ValidateBasic()`.

bits.BitArray.setIndex

libs/bits/bit_array.go

This internal method of `BitArray` was vulnerable to an out-of-bounds panic. If a malformed BitArray (where the `Elems` slice was too small for the number of `Bits`) was received and processed, a call to `setIndex` could attempt to access an index beyond the bounds of the `Elems` slice, causing a crash. The patch adds a check against `len(bA.Elems)`.

bits.BitArray.getNumTrueIndices

libs/bits/bit_array.go

This function calculates the number of set bits. It was vulnerable to a panic if it operated on a malformed BitArray where the `Elems` slice length didn't match the `Bits` count. This mismatch could cause an out-of-bounds read during iteration. The patch adds a guard to validate the BitArray's internal consistency before proceeding.

WAF Protection Rules

WAF Rule

N*m*: *S*-****-***: Inv*li* *it*rr*y **n*lin* **n l*** to n*twork **lt *riti**lity: *i** (*onsi**r**l* Imp**t; Possi*l* Lik*li*oo* p*r [**Mv*.*](*ttps://*it*u*.*om/int*r***inio/s**urity/*lo*/m*in/r*sour**s/*L*SSI*I**TION_M*TRIX.m*)) *****t** v*rsions

Reasoning

T** vuln*r**ility *xists in *om*t**T's **n*lin* o* t** `*it*rr*y` **t* stru*tur*, w*i** is us** in v*rious p**r-to-p**r m*ss***s. T** root **us* is * **ilur* to v*li**t* t**t t** `*it*rr*y`'s int*rn*l st*t* is *onsist*nt, sp**i*i**lly t**t t** l*n*t*

N/A

Basic Information

Concerned about an active attack path?

GHSA-hrhf-2vcr-ghch: CometBFT's invalid BitArray handling can lead to network halt

Description

Impact

Patches

Workarounds

Timeline

N/A

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI