CVE-2025-59941
MEDIUM EPSS 12.8%
Published Sep 29, 20259mo ago · Modified Jun 17, 20262w ago
6.5 CVSS 3.1
Published Sep 29, 2025 9mo ago
Last Modified Jun 17, 2026 2w ago
Description
go-f3 is a Golang implementation of Fast Finality for Filecoin (F3). In versions 0.8.8 and below, go-f3's justification verification caching mechanism has a vulnerability where verification results are cached without properly considering the context of the message. An attacker can bypass justification verification by submitting a valid message with a correct justification and then reusing the same cached justification in contexts where it would normally be invalid. This occurs because the cached verification does not properly validate the relationship between the justification and the specific message context it's being used with. This issue is fixed in version 0.8.9.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L Attack Vector Network
Attack Complexity High
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality None
Integrity High
Availability Low
Threat Intelligence
EPSS Exploit Probability
12.8% percentile
Exploit & Patch Status
No Known Exploit
Patch Available
Weaknesses 1
CWE-305
Affected Products 1
| Vendor | Product | Version | Range |
|---|---|---|---|
| filecoin | go-f3 | * | <0.8.9 |
References 2
- github.com https://github.com/filecoin-project/go-f3/commit/76fff18cf07b21baccf537024bdb2fb41f75f6e2#diff-e1f646cea41790e1642e4e649c9e3c526344736d67222201703e1c29c23e9625
- github.com https://github.com/filecoin-project/go-f3/security/advisories/GHSA-7pq9-rf9p-wcrf
Remediation
- github.com https://github.com/filecoin-project/go-f3/commit/76fff18cf07b21baccf537024bdb2fb41f75f6e2#diff-e1f646cea41790e1642e4e649c9e3c526344736d67222201703e1c29c23e9625