CVE-2025-24883
published 2025-01-30CVE-2025-24883: go-ethereum (geth) is a golang execution layer implementation of the Ethereum protocol. A vulnerable node can be forced to shutdown/crash using a specially…
PriorityP346high8.7CVSS 4.0
AVNACLATNPRNUINVCNVINVAHSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
0.68%
47.8th percentile
go-ethereum (geth) is a golang execution layer implementation of the Ethereum protocol. A vulnerable node can be forced to shutdown/crash using a specially crafted message. This vulnerability is fixed in 1.14.13.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ethereum | go-ethereum | — | — |
| github.com | ethereum_go-ethereum | >= 1.14.0 < 1.14.13 | 1.14.13 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Go Ethereum vulnerable to DoS via malicious p2p message in github.com/ethereum/go-ethereum
osv·2025-02-04
CVE-2025-24883 Go Ethereum vulnerable to DoS via malicious p2p message in github.com/ethereum/go-ethereum
Go Ethereum vulnerable to DoS via malicious p2p message in github.com/ethereum/go-ethereum
Go Ethereum vulnerable to DoS via malicious p2p message in github.com/ethereum/go-ethereum
OSV
Go Ethereum vulnerable to DoS via malicious p2p message
osv·2025-01-30
CVE-2025-24883 [MEDIUM] Go Ethereum vulnerable to DoS via malicious p2p message
Go Ethereum vulnerable to DoS via malicious p2p message
### Impact
A vulnerable node can be forced to shutdown/crash using a specially crafted message.
During the peer-to-peer connection handshake, a shared secret key is computed. The implementation
did not verify whether the EC public key provided by the remote party is a valid point on the secp256k1 curve.
By simply sending an all-zero public key, a crash could be induced due to unexpected results from the handshake.
The issue was fixed by adding a curve point validity check in https://github.com/ethereum/go-ethereum/commit/159fb1a1db551c544978dc16a5568a4730b4abf3
### Patches
A fix has been included in geth version 1.14.13 and onwards.
### Workarounds
Unfortunately, no workaround is available.
### Credits
This issue was origina
GHSA
Go Ethereum vulnerable to DoS via malicious p2p message
ghsa·2025-01-30
CVE-2025-24883 [MEDIUM] CWE-20 Go Ethereum vulnerable to DoS via malicious p2p message
Go Ethereum vulnerable to DoS via malicious p2p message
### Impact
A vulnerable node can be forced to shutdown/crash using a specially crafted message.
During the peer-to-peer connection handshake, a shared secret key is computed. The implementation
did not verify whether the EC public key provided by the remote party is a valid point on the secp256k1 curve.
By simply sending an all-zero public key, a crash could be induced due to unexpected results from the handshake.
The issue was fixed by adding a curve point validity check in https://github.com/ethereum/go-ethereum/commit/159fb1a1db551c544978dc16a5568a4730b4abf3
### Patches
A fix has been included in geth version 1.14.13 and onwards.
### Workarounds
Unfortunately, no workaround is available.
### Credits
This issue was origina
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-01-30
Published