Consensus Bug in Hyperledger Besu's Ethereum Client by Hyperledger
CVE-2025-30147

8.7HIGH

Key Information:

Vendor

Hyperledger

Status
Besu-native
Vendor
CVE Published:
7 May 2025

Badges

πŸ“ˆ Score: 1,030πŸ“° News Worthy

What is CVE-2025-30147?

CVE-2025-30147 refers to a vulnerability identified in the Hyperledger Besu Ethereum client, specifically within its native library implementation, known as besu-native. Hyperledger Besu is an Ethereum client designed for enterprise use, allowing organizations to build and manage blockchain networks. The vulnerability arises from a consensus bug associated with specific precompile functions – ALTBN128_ADD, ALTBN128_MUL, and ALTBN128_PAIRING – which are employed in cryptographic operations within Ethereum smart contracts.

This bug originates from the reimplementation of these precompiles using a new cryptographic library, gnark-crypto, due to performance issues with the previous library. Unfortunately, the implementation did not adequately check whether some elliptic curve (EC) points, which were valid in a subgroup, were also valid on the curve itself. As a result, an attacker could potentially craft input points that lead to incorrect computations, causing the Besu client to fall out of consensus. Such inconsistencies in blockchain state could severely undermine the reliability of transactions processed by affected networks, especially in homogenous environments where all nodes are running vulnerable versions of Besu.

Version 1.3.0 of besu-native has addressed the issue, with a patched version of Hyperledger Besu now available for users to implement. Until organizations upgrade, they can disable the problematic precompile in favor of a slower pure-Java implementation, mitigating risks but at the cost of performance.

Potential impact of CVE-2025-30147

  1. Disruption of Consensus: The consensus bug in specific precompile functions can lead to discrepancies in computational results across network nodes, ultimately causing nodes to fall out of sync. This disruption complicates the effectiveness of the blockchain and can hinder transaction processing, leading to potential downtime or inefficiency in network operations.

  2. Enshrined Invalid State: In networks using vulnerable versions of Besu, there is a risk that invalid blockchain states might be permanently stored. Once these invalid states are recorded, rectifying them in future updates poses significant challenges, which can lead to prolonged periods of instability or even the need for network-wide interventions.

  3. Increased Attack Surface: The exploitation of this vulnerability could permit malicious entities to manipulate consensus processes by sending crafted inputs to the precompile functions. This compromises the integrity of transaction verification and smart contract execution within the Ethereum ecosystem, thereby increasing the viability of attacks aiming to exploit the inconsistency in behavior across nodes.

Affected Version(s)

besu-native >= 0.9.0, < 1.3.0

News Articles

favicon imageNational Institute of Standards and Technology (.gov)

NVD - CVE-2025-30147

Description Besu Native contains scripts and tooling that is used to build and package the native libraries used by the Ethereum client Hyperledger Besu. Besu 24.7.1 through...

References

https://github.com/hyperledger/besu-native/security/advis...
x_refsource_CONFIRM
https://github.com/hyperledger/besu/blob/main/besu/src/ma...
x_refsource_MISC

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • πŸ“°

    First article discovered by National Institute of Standards and Technology (.gov)

  • Vulnerability published

  • Vulnerability Reserved

.