GHSA-qr8r-m495-7hc4: 
vulnerability analysis and mitigation

A high-severity vulnerability (GHSA-qr8r-m495-7hc4) was identified in CometBFT versions 0.38.0 through 0.38.2, affecting the validation logic for VoteExtensionsEnableHeight. The vulnerability was discovered on January 15, 2024, by Dongsam (@b_harvest) through the Cosmos Bug Bounty Program on HackerOne and was publicly disclosed on January 18, 2024. The issue affects Chain Builders, Maintainers, and Validators using CometBFT v0.38.x (GitHub Advisory).

The vulnerability exists in CometBFT's validation logic for VoteExtensionsEnableHeight parameter. When a governance parameter change proposal including a VoteExtensionsEnableHeight modification is passed, affected nodes may experience a panic condition, potentially leading to a network halt. The issue was addressed in version 0.38.3 by improving the validation logic to properly handle governance proposals addressing this parameter (GitHub Advisory).

If exploited, this vulnerability can cause a chain halt when triggered through a governance parameter change proposal on an ABCI2 Application Chain. The impact is particularly significant as it affects the network's ability to continue operations, potentially disrupting all chain activities (GitHub Advisory).

The issue has been patched in CometBFT version 0.38.3. Chain developers running CometBFT v0.38.x are recommended to update their chain application to v0.38.3 or later. The patch can be applied as a 'soft patch,' allowing nodes to be updated and restarted at different times without requiring a coordinated chain halt. The network becomes protected once more than 66.7% of voting power has applied the update, with full resolution achieved when all validator nodes are updated (GitHub Advisory).