CVE-2025-59941: 
vulnerability analysis and mitigation

A vulnerability was discovered in go-f3, a Golang implementation of Fast Finality for Filecoin (F3), affecting versions 0.8.8 and below. The vulnerability (CVE-2025-59941) was disclosed on September 29, 2025, and involves a flaw in the justification verification caching mechanism where verification results are cached without properly considering the message context (GitHub Advisory, NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 5.9 (Medium) with the vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:L. The issue stems from the caching mechanism for validation results not properly accounting for the message context. The vulnerability is classified as CWE-305 (Authentication Bypass by Primary Weakness). The root cause was identified in the cachingValidator.validateJustification function in gpbft/validator.go, which used a cache key generated only from the justification content itself (Miggo).

The vulnerability can lead to potential consensus integrity issues through invalid justification acceptance and could affect network liveness if exploited systematically. The exploitation requires significant computational power (350+ TiB) and would be difficult to execute in a synchronized fashion affecting more than 1/3 of the network simultaneously. The impact is mitigated by the fact that nodes have different memory configurations and many Storage Providers run redundant lotus nodes (GitHub Advisory).

The vulnerability has been fixed in version 0.8.9 of go-f3. All node software including Lotus, Forest, and Venus are using the patched version with their updates for the nv27 network upgrade. No immediate workarounds are available, and nodes should upgrade to the patched version, which would have been done if participating in nv27 on Filecoin mainnet (GitHub Advisory).

The vulnerability was reported by @lgprbs through the bug bounty program, demonstrating the effectiveness of the project's security reporting mechanisms (GitHub Advisory).