logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

GHSA-mx2j-7cmv-353c cosmwasm-vm

Package

Manager: cargo
Name: cosmwasm-vm
Vulnerable Version: =2.2.0 || >=2.2.0 <2.2.1 || >=2.1.0 <2.1.6 || >=2.0.0 <2.0.9 || >=0 <1.5.10

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

wasmvm: Malicious smart contract can slow down block production # CWA-2025-002 **Severity** Medium (Moderate + Likely)[^1] **Affected versions:** - wasmvm >= 2.2.0, < 2.2.2 - wasmvm >= 2.1.0, < 2.1.5 - wasmvm >= 2.0.0, < 2.0.6 - wasmvm < 1.5.8 **Patched versions:** - wasmvm 1.5.8, 2.0.6, 2.1.5, 2.2.2 ## Description of the bug The vulnerability can be used to slow down block production. The attack requires a malicious contract, so permissioned chains are unlikely to be affected. (We'll add more detail once chains had a chance to upgrade.) ## Patch - 1.5: https://github.com/CosmWasm/cosmwasm/commit/2b7f2faa57a1efc8207455c37f87f1eee6035a27 - 2.0: https://github.com/CosmWasm/cosmwasm/commit/d6143b0aff16a39bbea4be37597d8e9d9b213d3b - 2.1: https://github.com/CosmWasm/cosmwasm/commit/f0c04c03cbe2557634c1bbcdc2ce203fe7caca58 - 2.2: https://github.com/CosmWasm/cosmwasm/commit/a5d62f65b5eb947ebe40e2085b1c48a9d0a244d0 ## Applying the patch The patch will be shipped in releases of wasmvm. You can update more or less as follows: 1. Check the current wasmvm version: `go list -m github.com/CosmWasm/wasmvm` 2. Bump the `github.com/CosmWasm/wasmvm` dependency in your go.mod to one of the patched version depending on which minor version you are on; `go mod tidy`; commit. 3. If you use the static libraries `libwasmvm_muslc.aarch64.a`/`libwasmvm_muslc.x86_64.a`, update them accordingly. 4. Check the updated wasmvm version: `go list -m github.com/CosmWasm/wasmvm` and ensure you see 1.5.8, 2.0.6, 2.1.5 or 2.2.2. 5. Follow your regular practices to deploy chain upgrades. The patch is consensus breaking and requires a coordinated upgrade. ## Acknowledgement This issue was found by meadow101 who reported it to the Cosmos Bug Bounty Program on HackerOne. If you believe you have found a bug in the Interchain Stack or would like to contribute to the program by reporting a bug, please see <https://hackerone.com/cosmos>. ## Timeline - 2024-11-24: Confio receives a report through the Cosmos bug bounty program maintained by Amulet. - 2024-12-20: Confio security contributors confirm the report. - 2024-01-27: Confio developed the patch internally. - 2025-02-04: Patch gets released. [^1]: following Amulet's Severity Classification Framework ACMv1.2: https://github.com/interchainio/security/blob/0295254e8645301ccb606d46108a45cede0a73e0/resources/CLASSIFICATION_MATRIX.md

Metadata

Created: 2025-02-04T18:57:21Z
Modified: 2025-07-09T16:06:08Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/02/GHSA-mx2j-7cmv-353c/GHSA-mx2j-7cmv-353c.json
CWE IDs: []
Alternative ID: N/A
Finding: F067
Auto approve: 1