GHSA-g5xx-c4hv-9ccc: 
vulnerability analysis and mitigation

The vulnerability (GHSA-g5xx-c4hv-9ccc) affects CometBFT's state sync protocol, impacting versions >= 0.34.0 to <= 0.34.33, >=0.37.0 to <= 0.37.10, and >= 0.38.0 to <= 0.38.11. The issue involves the state sync protocol's handling of validator sets, specifically the ProposerPriority field validation, which could potentially lead to chain splits (GitHub Advisory).

The vulnerability stems from the light client protocol's incomplete validation of ValidatorSet data. While the protocol validates most aspects of the ValidatorSet retrieved from RPC endpoints, it fails to verify the ProposerPriority field associated with each Validator. This field represents the state of the proposer selection algorithm. The light client's validation process compares states from different RPC endpoints but overlooks the verification of these priority values (GitHub Advisory).

When state sync adopts RPC endpoints that provide an invalid state of the proposer selection algorithm, affected nodes cannot properly execute the consensus protocol. This occurs because their local view of validator proposer selection for given rounds and heights conflicts with the views of correct validators. If multiple validators state sync using endpoints with invalid states, the network may eventually halt (GitHub Advisory).

The issue has been patched in versions 0.34.34, 0.37.11, and 0.38.12. The fix implements comparison of ProposerPriority fields in ValidatorSet instances retrieved from RPC endpoints during state sync. If differences are detected, the State object is marked invalid and state sync fails with an error. For unpatched systems, validators should either avoid using state sync for bootstrapping or ensure they configure state sync with RPC endpoints having valid proposer election algorithm states (GitHub Advisory).