GHSA-m9c9-mc2h-9wjw: 
JavaScript vulnerability analysis and mitigation

The vulnerability (GHSA-m9c9-mc2h-9wjw) affects the Lodestar Ethereum consensus client, specifically in the @lodestar/reqresp package versions prior to 1.25.0. The issue was discovered and disclosed on January 14, 2025, involving a snappy checksum verification flaw in the implementation of the Req/Resp protocol's ssz_snappy encoding (GitHub Advisory).

The vulnerability exists in the snappy framing format processing where Lodestar fails to verify checksums in uncompressed chunks. In the Req/Resp protocol, messages are encoded using ssz_snappy encoding, which implements snappy framing compression over ssz encoded messages. While other implementations like Golang's snappy package properly verify checksums and return errors for mismatches, Lodestar's decoder directly appends the data without verification (GitHub Advisory).

The vulnerability's impact is classified as severe, potentially causing an unintended permanent chain split affecting 25% or more of the network. Such a split would require a hard fork to resolve, effectively creating a network partition that necessitates significant coordination to fix (GitHub Advisory).

The vulnerability has been patched in version 1.25.0 of the @lodestar/reqresp package. Users should upgrade to this version or later to ensure proper checksum verification in snappy framing (GitHub Advisory).