Primary

Context

go-f3 Integer Overflow Vulnerability Leading to Denial-of-Service

Vulnerability

A denial-of-service vulnerability has been identified in go-f3, a Golang implementation of Fast Finality for Filecoin. This issue affects versions prior to 0.8.7. The vulnerability arises when the validator processes 'poison' messages, which can cause an integer overflow in the signer index validation. As a result, Filecoin nodes that consume F3 messages may crash. The vulnerability requires an attacker to directly send the malicious messages to the target nodes, as these messages do not self-propagate.

Impact

Exploitation of this vulnerability causes Filecoin nodes to panic and crash, disrupting node availability and functionality.

Remediation

Users should upgrade to go-f3 version 0.8.7 or later. Filecoin node software such as Lotus, Forest, and Venus have already incorporated this patch in their updates for the nv27 network upgrade.

Added: Sep 29, 2025, 11:17 PM

Updated: Sep 29, 2025, 11:17 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

7.4

remediation

7.7

relevance

0.6

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

7.4

remediation

7.7

relevance

0.6

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

go-f3 Integer Overflow Vulnerability Leading to Denial-of-Service

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating