CVE-2025-24883 – github.com/ethereum/go-ethereum

Package

Manager: go
Name: github.com/ethereum/go-ethereum
Vulnerable Version: >=1.14.0 <1.14.13

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U

EPSS: 0.00023 pctl0.04699

Details

Go Ethereum vulnerable to DoS via malicious p2p message ### Impact A vulnerable node can be forced to shutdown/crash using a specially crafted message. During the peer-to-peer connection handshake, a shared secret key is computed. The implementation did not verify whether the EC public key provided by the remote party is a valid point on the secp256k1 curve. By simply sending an all-zero public key, a crash could be induced due to unexpected results from the handshake. The issue was fixed by adding a curve point validity check in https://github.com/ethereum/go-ethereum/commit/159fb1a1db551c544978dc16a5568a4730b4abf3 ### Patches A fix has been included in geth version 1.14.13 and onwards. ### Workarounds Unfortunately, no workaround is available. ### Credits This issue was originally reported to Polygon Security by David Matosse (@iam-ned).

Metadata

Created: 2025-01-30T17:51:57Z
Modified: 2025-03-17T20:25:21Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/01/GHSA-q26p-9cq4-7fc2/GHSA-q26p-9cq4-7fc2.json
CWE IDs: ["CWE-20", "CWE-248"]
Alternative ID: GHSA-q26p-9cq4-7fc2
Finding: F184
Auto approve: 1