GHSA-6jrf-4jv4-r9mw: 
Rust vulnerability analysis and mitigation

The vulnerability (GHSA-6jrf-4jv4-r9mw) affects tendermint-rs's light client implementation, specifically in the tendermint-light-client-verifier package versions <= v0.40.2. Discovered and reported on March 12, 2025, this critical vulnerability stems from insecure handling of corrupted validator sets. The issue was publicly disclosed on April 8, 2025, and affects all users of the affected versions (GitHub Advisory).

The vulnerability exists due to the light client implementation's failure to verify that validator addresses are correctly derived from their corresponding public keys when counting votes. This oversight in validation allows malicious validators to spoof votes from other validators, potentially enabling the construction of malicious blocks that the light client would accept as valid, appearing to have a 2/3+ majority signature (GitHub Advisory).

The vulnerability has a high severity rating with a CVSS score of 8.2. If exploited, it allows malicious validators to construct and have accepted fraudulent blocks by spoofing votes from other validators, effectively bypassing the light client's security mechanisms. This could lead to significant integrity compromises in the affected systems (GitHub Advisory).

The vulnerability has been patched in tendermint-rs version v0.40.3. Users are strongly advised to upgrade to this version as there are no known workarounds for this issue. The fix includes additional validation checks to ensure validator addresses are correctly derived from their public keys (GitHub Advisory).