CVE-2025-59942: 
Análisis y mitigación de vulnerabilidades

go-f3, a Golang implementation of Fast Finality for Filecoin (F3), contains a critical vulnerability (CVE-2025-59942) in versions 0.8.6 and below. The vulnerability was discovered and disclosed on September 29, 2025, affecting Filecoin nodes that consume F3 messages. The issue involves a panic condition triggered when validating 'poison' messages, making nodes vulnerable to crashes (GitHub Advisory).

The vulnerability stems from an integer overflow condition in the signer index validation process. When processing certain maliciously crafted 'poison' messages, the validation mechanism fails to properly handle integer boundaries, resulting in a panic condition. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating network accessibility, low attack complexity, and no required privileges or user interaction (GitHub Advisory).

The vulnerability's primary impact is the potential for denial of service attacks against Filecoin nodes. When exploited, the vulnerability causes the entire node to crash. The attack vector is particularly concerning as it requires no special privileges or significant resources to execute, though the malicious messages are not self-propagating (GitHub Advisory).

The vulnerability has been patched in go-f3 version 0.8.7. The fix implements proper overflow checking using math.MaxInt64 comparison and returns an error message 'justificationPower overflow' when an overflow would occur. All node software including Lotus, Forest, and Venus are using the patched version of go-f3 with their updates for the nv27 network upgrade. No immediate workarounds are available for unpatched versions, making it crucial for nodes to upgrade to the patched version (GitHub Advisory).

The vulnerability was initially discovered through an unrelated path reported by security researcher 0xNirix via a bug bounty program. While the initial finding was not considered high-severity, further investigation by developers led to the discovery of this more serious vulnerability (GitHub Advisory).