logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

GHSA-x5vx-95h7-rv4p github.com/cosmos/cosmos-sdk

Package

Manager: go
Name: github.com/cosmos/cosmos-sdk
Vulnerable Version: >=0 <0.47.16-ics-lsm || >=0.50.0-alpha.0 <0.50.12

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:U/RC:R

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

Cosmos SDK: Groups module can halt chain when handling a malicious proposal Name: ASA-2025-003: Groups module can halt chain when handling a malicious proposal Component: CosmosSDK Criticality: High (Considerable Impact; Likely Likelihood per [ACMv1.2](https://github.com/interchainio/security/blob/main/resources/CLASSIFICATION_MATRIX.md)) Affected versions: <= v0.47.15, <= 0.50.11 Affected users: Validators, Full nodes, Users on chains that utilize the groups module ### Description An issue was discovered in the groups module where a malicious proposal would result in a division by zero, and subsequently halt a chain due to the resulting error. Any user that can interact with the groups module can introduce this state. ### Patches The new Cosmos SDK release [v0.50.12](https://github.com/cosmos/cosmos-sdk/releases/tag/v0.50.12) and [v0.47.16](https://github.com/cosmos/cosmos-sdk/releases/tag/v0.47.16) fix this issue. ### Workarounds There are no known workarounds for this issue. It is advised that chains apply the update. ### Timeline * February 9, 2025, 5:18pm PST: Issue reported to the Cosmos Bug Bounty program * February 9, 2025, 8:12am PST: Issue triaged by Amulet on-call, and distributed to Core team * February 9, 2025, 12:25pm PST: Core team completes validation of issue * February 18, 2025, 8:00am PST / 17:00 CET: Pre-notification delivered * February 20, 2025, 8:00am PST / 17:00 CET: Patch made available This issue was reported to the Cosmos Bug Bounty Program by [dongsam](https://github.com/dongsam) on HackerOne on February 9, 2025. If you believe you have found a bug in the Interchain Stack or would like to contribute to the program by reporting a bug, please see https://hackerone.com/cosmos. If you have questions about Interchain security efforts, please reach out to our official communication channel at [security@interchain.io](mailto:security@interchain.io). For more information about the Interchain Foundation’s engagement with Amulet, and to sign up for security notification emails, please see https://github.com/interchainio/security. A Github Security Advisory for this issue is available in the Cosmos SDK [repository](https://github.com/cosmos/cosmos-sdk/security/advisories/GHSA-x5vx-95h7-rv4p).

Metadata

Created: 2025-02-20T20:18:25Z
Modified: 2025-02-20T20:18:25Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/02/GHSA-x5vx-95h7-rv4p/GHSA-x5vx-95h7-rv4p.json
CWE IDs: ["CWE-369"]
Alternative ID: N/A
Finding: F020
Auto approve: 1