Skip to content

fix: bump go-ethereum to v1.16.8 to fix CVE-2026-22868#7

Merged
brendanjryan merged 5 commits into
mainfrom
fix/bump-go-ethereum-cve-2026-22868
Jan 27, 2026
Merged

fix: bump go-ethereum to v1.16.8 to fix CVE-2026-22868#7
brendanjryan merged 5 commits into
mainfrom
fix/bump-go-ethereum-cve-2026-22868

Conversation

@struong

@struong struong commented Jan 27, 2026

Copy link
Copy Markdown
Member

motivation

go-ethereum v1.13.5 is affected by CVE-2026-22868 (GHSA-mq3p-rrmp-79jg), a high-severity vulnerability where an attacker can cause high CPU usage via a malicious p2p message, leading to denial of service.

implications

The dependency is now on a patched version (v1.16.8), eliminating the DoS attack vector. Minimum Go version bumped to 1.24 as required by the new go-ethereum version.

Users on Go 1.21-1.23 can pin to v0.1.0 but will remain on the vulnerable go-ethereum version.

testing

  • go build ./... passes
  • All unit tests pass (pkg/client, pkg/signer, pkg/transaction)
  • Integration tests require TEMPO_RPC_URL env var (runs in CI)

next steps

After merging:

  1. Tag v0.2.0: git tag v0.2.0 && git push origin v0.2.0
  2. Create GitHub release with changelog notes

Addresses GHSA-mq3p-rrmp-79jg - high CPU usage DoS via malicious p2p message.
Previous version v1.13.5 was affected (all versions <= 1.16.7).
@struong struong marked this pull request as draft January 27, 2026 18:16
@struong struong marked this pull request as ready for review January 27, 2026 18:54
@struong struong requested a review from brendanjryan January 27, 2026 18:54
@brendanjryan brendanjryan merged commit 3230c35 into main Jan 27, 2026
2 checks passed
@brendanjryan brendanjryan deleted the fix/bump-go-ethereum-cve-2026-22868 branch January 27, 2026 19:42
grandizzy added a commit that referenced this pull request Jan 29, 2026
Expand integration tests to match tempo-foundry's tempo-check.sh CI coverage,
similar to pytempo PR #7.

New integration tests:
- Node connectivity (client version check)
- Fee token liquidity (AlphaUSD, BetaUSD, ThetaUSD)
- Send with custom fee token
- 2D nonces (nonce_key)
- Expiring nonces (valid_before, valid_after)
- Sponsored transactions (fee payer)
- Batch transactions (multiple calls)
- setUserFeeToken

Skipped tests (require specific setup):
- Access keys (needs investigation on devnet)
- DEX operations (require liquidity setup)

CI changes:
- Integration tests (Devnet/Testnet) now run on all PRs, not just main/schedule

Test results: 12 passed, 3 skipped

Amp-Thread-ID: https://ampcode.com/threads/T-019c0a32-581b-717c-b814-0d5614d0ff97
Co-authored-by: Amp <amp@ampcode.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants