CVE-2025-24371

CometBFT is a distributed, Byzantine fault-tolerant, deterministic state machine replication engine. In the blocksync protocol peers send their base and latest heights when they connect to a new node (A), which is syncing to the tip of a network. base acts as a lower ground and informs A that the peer only has blocks starting from height base. latest height informs A about the latest block in a network. Normally, nodes would only report increasing heights. If B fails to provide the latest block, B is removed and the latest height (target height) is recalculated based on other nodes latest heights. The existing code however doesn't check for the case where B first reports latest height X and immediately after height Y, where X > Y. A will be trying to catch up to 2000 indefinitely. This condition requires the introduction of malicious code in the full node first reporting some non-existing latest height, then reporting lower latest height and no