A critical security vulnerability has been discovered in the Cosmos network, a vital infrastructure component of the cryptocurrency ecosystem.
Security researcher Doyeon Park has publicly disclosed a “0-day” vulnerability she discovered in CometBFT, which is used in the consensus layer of Cosmos (ATOM).
According to information shared by Park, the vulnerability is rated as CVSS 7.1 (high level) and can cause nodes in the Cosmos ecosystem to lock up during the block synchronization process. While this doesn’t directly lead to asset theft, it’s considered a potential risk that could cause significant operational disruptions to a network securing over $8 billion in assets.
The researcher stated that they followed the Coordinated Vulnerability Disclosure (CVD) process, which normally mandates the responsible disclosure of vulnerabilities, but decided to make their findings public due to communication problems and a lack of cooperation with the relevant development team. Park added that the developer is responsible for any security risks that may arise during this process.
Following the announcement, a “survival guide” for Cosmos validators was also shared. According to this guide, node operators are advised not to restart their systems as much as possible until the vulnerability is fixed. This is because the vulnerability is particularly triggered during the block synchronization phase. While nodes currently operating in consensus mode can continue to function without problems, restarted nodes may become locked and unable to rejoin the network if they encounter a malicious peer.
Park also made noteworthy claims regarding the background of the disclosure. According to the researcher, the development team argued that the vulnerability was not exploitable and requested that the report be publicly shared on GitHub, but refused a request for detailed explanation. Park then stated that he provided a network-level “proof-of-concept” (PoC) demonstrating that the vulnerability was indeed exploitable, but received no further feedback after that point.
On the other hand, it was also claimed that the vulnerability coded CVE-2025-24371, which was previously stated to have the same effect, was reclassified as “minor” by the development team. Park argued that this contradicts the MITRE and FIRST criteria, which set international standards.
The researcher also claimed to have reported a more serious vulnerability through HackerOne, but it was marked as “spam” without a technical review. Park noted that similar issues have been raised by other researchers participating in the Cosmos bug bounty program.
*This is not investment advice.
