logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

GHSA-79xg-q4qm-7v9w github.com/cosmwasm/wasmd

Package

Manager: go
Name: github.com/cosmwasm/wasmd
Vulnerable Version: =0.60.0 || >=0.60.0 <0.60.1 || >=0.55.0 <0.55.1 || >=0.54.0 <0.54.1 || >=0.51.0 <0.53.3

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

CWA-2025-006: wasmd's improper error handling may lead to IBC channel opening despite error # CWA-2025-006: Improper error handling may lead to IBC channel opening despite error **Severity** High (Considerable + Likely)[^1] **Affected versions:** - wasmd 0.60.0 - wasmd >= 0.51.0 < 0.55.1 **Patched versions:** - wasmd 0.60.1, 0.55.1, 0.54.1, 0.53.3 ## Description of the bug A contract erroring during IBC channel opening does not prevent the channel from opening. ## Applying the patch The patch will be shipped in a wasmd release. You will also have to update `libwasmvm` if you build statically. If you already use the latest / close to latest wasmd, you can update more or less as follows: 1. Check the current wasmd version: `go list -m github.com/CosmWasm/wasmd` 2. Bump the `github.com/CosmWasm/wasmd` dependency in your go.mod to 0.60.1 (Cosmos SDK 0.53 compatible), 0.55.1 (Cosmos SDK 0.50 compatible), 0.54.1 or 0.53.3; `go mod tidy`; commit. 3. If you use the static libraries `libwasmvm_muslc.aarch64.a`/`libwasmvm_muslc.x86_64.a`, make sure that you use the same version as your wasmvm version. 4. Check the updated wasmd version: `go list -m github.com/CosmWasm/wasmd` and ensure you see 0.60.1, 0.55.1, 0.54.1 or 0.53.3. 5. Follow your regular practices to deploy chain upgrades. The patch is consensus breaking. ## Acknowledgement This problem was discovered during an audit of the CosmWasm stack performed by Sherlock and funded by ICF/ICL in Q1 2025. Thank you for that work! If you believe you have found a bug in the Interchain Stack or would like to contribute to the program by reporting a bug, please see <https://hackerone.com/cosmos>. ## Timeline - 2025-03-03: Auditor informs Confio about this issue. - 2025-04-10: Confio developed the patch internally. - 2025-06-05: Upcoming patch is announced. - 2025-06-10: Patch is released. [^1]: following Amulet's Severity Classification Framework ACMv1.2: <https://github.com/interchainio/security/blob/0295254e8645301ccb606d46108a45cede0a73e0/resources/CLASSIFICATION_MATRIX.md>

Metadata

Created: 2025-06-11T14:44:38Z
Modified: 2025-06-11T14:44:39Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-79xg-q4qm-7v9w/GHSA-79xg-q4qm-7v9w.json
CWE IDs: []
Alternative ID: N/A
Finding: F014
Auto approve: 1