Core-Geth

MaintainedGo

Bridge release — sunset after Olympia. etclabscore/core-geth v1.12.x was unmaintained June 2024–March 2026 (21 months), accumulating six unpatched CVEs that were actively exploited against ETC mainnet bootnodes. All patched in v1.13.0 by White B0x (ethereumclassic/core-geth). v1.13.x is the final series — migrate to Fukuii before Olympia activation.

⚠ Sunset after OlympiaMaintenance mode since December 2024 · v1.13.x final seriesMigrate to Fukuii →

Documentation GitHub

Platform Support

WindowsmacOSLinuxDocker

Key Features

Full and light sync modes
JSON-RPC and WebSocket APIs
EVM tracing and debugging
Built-in mining support
MEV-free transaction ordering

Security Notice — etclabscore Fork

The etclabscore/core-geth fork is unmaintained and does not include the security patches listed below. If you are running that version, upgrade immediately to github.com/ethereumclassic/core-geth.

Get Patched Version →

Patched Security Advisories

HIGH

CVE-2026-26313

P2P RLP item count memory exhaustion — crafted message header crashes node via OOM. Remote, no auth required.

Fix: 5d0cb8b34

HIGH

CVE-2026-22862

ECIES decrypt length undercheck (off-by-15) — undersized RLPx auth payload causes out-of-bounds read and remote crash.

Fix: dc73f2e4f

HIGH

CVE-2026-26315

ECIES GenerateShared missing public key validation — MAC-oracle attack can leak P2P node key bits via repeated unauthenticated handshakes.

Fix: 2d3528803

HIGH

CVE-2026-26314

secp256k1 IsOnCurve field boundary bypass — out-of-field coordinates satisfy the naive curve equation and pass the validity gate.

Fix: 2d3528803

HIGH

CVE-2025-24883

UnmarshalPubkey missing IsOnCurve check — off-curve secp256k1 points pass deserialization and corrupt downstream crypto operations.

Fix: 8e40b7e41

MODERATE

CVE-2026-22868

KZG blob proof DoS — invalid proofs trigger full expensive verification without peer disconnect, enabling sustained CPU exhaustion.

Fix: 1419c5310

MODERATE

GraphQL Depth DoS

No query depth limit on the --graphql endpoint; graphql-go v1.3.0 MaxDepth bug made the limit non-functional even when set.

Fix: 6c2d383fa

After upgrading: Rotate your P2P node key to ensure fresh identity on the network.

rm <datadir>/geth/nodekey

Full security audit — CVE details, risk assessment, methodologyView audit →

Installation

Quick Install

docker pull ghcr.io/ethereumclassic/core-geth:latest

macOS (Homebrew)

brew install core-geth

Docker

docker pull ghcr.io/ethereumclassic/core-geth:latest

Build from Source

git clone https://github.com/ethereumclassic/core-geth.gitcd core-gethmake geth

Configuration

Note: Use --classic flag for ETC mainnet, --mordor for testnet

Mainnet (Chain ID 61)

geth --classic

Mordor Testnet (Chain ID 63)

geth --mordor

Common Options

--http # Enable HTTP-RPC server--http.addr 0.0.0.0 # HTTP listen address--http.port 8545 # HTTP-RPC port--ws # Enable WebSocket server--syncmode full # Full node sync--syncmode snap # Snap sync (faster)

Bridge Release — Maintenance Mode

v1.13.x is the final release series for this client. Maintained through the Olympia upgrade for network continuity only.

Need Help Getting Started?

Check out our network information page for RPC endpoints and testnet resources.

Network Info Testnet Faucets