949737 – (CVE-2025-24883) <net-p2p/go-ethereum-1.14.13: DoS vulnerability via p2p message

Bug 949737 (CVE-2025-24883) - <net-p2p/go-ethereum-1.14.13: DoS vulnerability via p2p message

Summary: <net-p2p/go-ethereum-1.14.13: DoS vulnerability via p2p message

Status:	IN_PROGRESS

Alias:	CVE-2025-24883

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Gentoo Security

URL:	https://github.com/advisories/GHSA-q2...
Whiteboard:	~3 [cleanup]
Keywords:

Depends on:
Blocks:

Reported:	2025-02-14 18:13 UTC by Sam Wilson
Modified:	2025-02-16 17:13 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sam Wilson 2025-02-14 18:13:58 UTC

A vulnerable node can be forced to shutdown/crash using a specially crafted message.

References:

* https://github.com/advisories/GHSA-q26p-9cq4-7fc2
* https://nvd.nist.gov/vuln/detail/CVE-2025-24883
* https://github.com/ethereum/go-ethereum/commit/fa9a2ff8687ec9efe57b4b9833d5590d20f8a83f
* https://pkg.go.dev/vuln/GO-2025-3436

Comment 1 Sam Wilson 2025-02-14 18:16:19 UTC

Version bumped in

* https://github.com/gentoo/gentoo/pull/40385
* 1fb2affc1dc59c5371344b4fc94715e7a93b6111

Comment 2 Hans de Graaff gentoo-dev

2025-02-16 07:07:12 UTC

Thanks for reporting. We can close the bug once all vulnerable versions have been removed.

Comment 3 Sam Wilson 2025-02-16 17:13:49 UTC

That would be https://github.com/gentoo/gentoo/pull/40386