CVE-2023-34450 — Deadlock in github.com/cometbft/cometbft/consensus

Description

An internal modification to the way PeerState is serialized to JSON introduced a deadlock when the new function MarshalJSON is called. This function can be called in two ways. The first is via logs, by setting the consensus logging module to "debug" level (which should not happen in production), and setting the log output format to JSON. The second is via RPC dump_consensus_state.

How to fix CVE-2023-34450

To remediate CVE-2023-34450, upgrade the affected package to a fixed version below.

—upgrade to 0.34.29 or later
—upgrade to 0.37.2 or later

Is CVE-2023-34450 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

>= 0.34.28, < 0.34.29
>= 0.37.1, < 0.37.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-34450
PATCHgithub.com/cometbft/cometbft
WEBgithub.com/cometbft/cometbft/pull/524
WEBgithub.com/cometbft/cometbft/pull/863
WEBgithub.com/cometbft/cometbft/pull/865