CWE
670 347
EPSS
0.045%
Advisory Published
Advisory Published
Updated

CVE-2025-24800: Critical vulnerability in `ismp-grandpa` <v15.0.1

First published: Tue Jan 28 2025(Updated: )

A critical vulnerability was discovered in the `ismp-grandpa` crate, that allowed a malicious prover easily convince the verifier of the finality of arbitrary headers. ### Description The vulnerability manifests as a verifer that only accepts incorrect signatures of Grandpa precommits and was introduced in this [specific commit](https://github.com/polytope-labs/ismp-substrate/pull/64/commits/5ca3351a19151f1a439c30d5cbdbfdc72a11f1a8#diff-3835cc24fb2011b3e8246036059acd8c2c2a9a869eedf7a210d18edb6543318dL262). Perhaps due to unfamiliarity with core substrate APIs. The `if` statement should have included a negation check, similar to the previous code, but this was omitted. Causing the verifier to **only** accept invalid signatures. This vulnerability remained undetected even with [integration tests](https://github.com/polytope-labs/ismp-substrate/pull/64/commits/04d5be207b082eb61d586d52e1685e2e060347e6#diff-4aedbca82d26bebc03f274e23fd5697c3346ffff54405c87af9018f3aef708b2R1-R160), as the prover was also [misconfigured](https://github.com/polytope-labs/ismp-substrate/pull/64/commits/b26894913b301061b07db61af841ca2586415f08#diff-493a6129d75fe31185e28695a4d2adc1582fe9df12462e380fe994f170fc1e70L159) to initialize the Grandpa verifier with the incorrect authority `set_id`. This causes verification of honest precommit signatures to fail as the message is now malformed, but the verifier indeed only accepts signatures or messages that fail the verification check. But even more devastatingly, the verifier will also accept malicious GRANDPA signatures for any precommit message. This vulnerability has been fixed in this [commit](https://github.com/polytope-labs/hyperbridge/pull/372/commits/f0e85db718f5165b06585a49b14a66f8ad643aea) and a patch release has been published. ### Impact This could be used to steal funds or compromise other kinds of cross-chain applications. ### Patches This vulnerability has been fixed in the latest version of `ismp-granpda` `v15.0.1` ### Recommendations Users who rely on the compromised versions must upgrade immediately, as all vulnerable versions of the crate has been yanked.

Credit: security-advisories@github.com security-advisories@github.com

Affected SoftwareAffected VersionHow to fix
rust/grandpa-verifier<0.1.2
0.1.2
rust/grandpa-verifier-primitives<0.1.2
0.1.2
rust/ismp-grandpa<15.0.1
15.0.1
Hyperbridge ISMP-Grandpa<15.0.1

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Frequently Asked Questions

  • What is the severity of CVE-2025-24800?

    CVE-2025-24800 is classified as a critical vulnerability.

  • Which software versions are affected by CVE-2025-24800?

    CVE-2025-24800 affects versions of the 'grandpa-verifier' and 'grandpa-verifier-primitives' crates below 0.1.2 and the 'ismp-grandpa' crate below 15.0.1.

  • How do I fix CVE-2025-24800?

    To mitigate CVE-2025-24800, update 'grandpa-verifier' and 'grandpa-verifier-primitives' to version 0.1.2 and 'ismp-grandpa' to version 15.0.1.

  • What type of vulnerability is CVE-2025-24800?

    CVE-2025-24800 is a security vulnerability that allows a malicious prover to deceive the verifier regarding the finality of headers.

  • Is there a public advisory for CVE-2025-24800?

    Yes, there is a public security advisory available regarding CVE-2025-24800 on GitHub.

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2025 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203