Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-mx2j-7cmv-353c: wasmvm: Malicious smart contract can slow down block production

CWA-2025-002

Severity

Medium (Moderate + Likely)[1]

Affected versions:

  • wasmvm >= 2.2.0, < 2.2.2
  • wasmvm >= 2.1.0, < 2.1.5
  • wasmvm >= 2.0.0, < 2.0.6
  • wasmvm < 1.5.8

Patched versions:

  • wasmvm 1.5.8, 2.0.6, 2.1.5, 2.2.2

Description of the bug

The vulnerability can be used to slow down block production. The attack requires a malicious contract, so permissioned chains are unlikely to be affected.

(We’ll add more detail once chains had a chance to upgrade.)

Patch

  • 1.5: https://github.com/CosmWasm/cosmwasm/commit/2b7f2faa57a1efc8207455c37f87f1eee6035a27
  • 2.0: https://github.com/CosmWasm/cosmwasm/commit/d6143b0aff16a39bbea4be37597d8e9d9b213d3b
  • 2.1: https://github.com/CosmWasm/cosmwasm/commit/f0c04c03cbe2557634c1bbcdc2ce203fe7caca58
  • 2.2: https://github.com/CosmWasm/cosmwasm/commit/a5d62f65b5eb947ebe40e2085b1c48a9d0a244d0

Applying the patch

The patch will be shipped in releases of wasmvm. You can update more or less as follows:

  1. Check the current wasmvm version: go list -m github.com/CosmWasm/wasmvm
  2. Bump the github.com/CosmWasm/wasmvm dependency in your go.mod to one of the patched version depending on which minor version you are on; go mod tidy; commit.
  3. If you use the static libraries libwasmvm_muslc.aarch64.a/libwasmvm_muslc.x86_64.a, update them accordingly.
  4. Check the updated wasmvm version: go list -m github.com/CosmWasm/wasmvm and ensure you see 1.5.8, 2.0.6, 2.1.5 or 2.2.2.
  5. Follow your regular practices to deploy chain upgrades.

The patch is consensus breaking and requires a coordinated upgrade.

Acknowledgement

This issue was found by meadow101 who reported it to the Cosmos Bug Bounty Program on HackerOne.

If you believe you have found a bug in the Interchain Stack or would like to contribute to the program by reporting a bug, please see https://hackerone.com/cosmos.

Timeline

  • 2024-11-24: Confio receives a report through the Cosmos bug bounty program maintained by Amulet.
  • 2024-12-20: Confio security contributors confirm the report.
  • 2024-01-27: Confio developed the patch internally.
  • 2025-02-04: Patch gets released.

  1. following Amulet’s Severity Classification Framework ACMv1.2: https://github.com/interchainio/security/blob/0295254e8645301ccb606d46108a45cede0a73e0/resources/CLASSIFICATION_MATRIX.md

ghsa
Open in Source
#vulnerability#git
  1. GitHub Advisory Database
  2. GitHub Reviewed
  3. GHSA-mx2j-7cmv-353c

wasmvm: Malicious smart contract can slow down block production

Moderate severity GitHub Reviewed Published Feb 4, 2025 in CosmWasm/wasmvm • Updated Feb 4, 2025

Package

cargo cosmwasm-vm (Rust)

Affected versions

= 2.2.0

>= 2.1.0, < 2.1.6

>= 2.0.0, < 2.0.9

< 1.5.10

Patched versions

2.2.1

2.1.6

2.0.9

1.5.10

gomod github.com/CosmWasm/wasmvm (Go)

gomod github.com/CosmWasm/wasmvm/v2 (Go)

>= 2.2.0, < 2.2.2

>= 2.1.0, < 2.1.5

>= 2.0.0, < 2.0.6

CWA-2025-002

Severity

Medium (Moderate + Likely)1

Affected versions:

  • wasmvm >= 2.2.0, < 2.2.2
  • wasmvm >= 2.1.0, < 2.1.5
  • wasmvm >= 2.0.0, < 2.0.6
  • wasmvm < 1.5.8

Patched versions:

  • wasmvm 1.5.8, 2.0.6, 2.1.5, 2.2.2

Description of the bug

The vulnerability can be used to slow down block production. The attack requires a malicious contract,
so permissioned chains are unlikely to be affected.

(We’ll add more detail once chains had a chance to upgrade.)

Patch

  • 1.5: CosmWasm/cosmwasm@2b7f2fa
  • 2.0: CosmWasm/cosmwasm@d6143b0
  • 2.1: CosmWasm/cosmwasm@f0c04c0
  • 2.2: CosmWasm/cosmwasm@a5d62f6

Applying the patch

The patch will be shipped in releases of wasmvm. You can update more or less as follows:

  1. Check the current wasmvm version: go list -m github.com/CosmWasm/wasmvm
  2. Bump the github.com/CosmWasm/wasmvm dependency in your go.mod to one of the patched version
    depending on which minor version you are on; go mod tidy; commit.
  3. If you use the static libraries libwasmvm_muslc.aarch64.a/libwasmvm_muslc.x86_64.a, update them accordingly.
  4. Check the updated wasmvm version: go list -m github.com/CosmWasm/wasmvm and ensure you see 1.5.8, 2.0.6, 2.1.5 or 2.2.2.
  5. Follow your regular practices to deploy chain upgrades.

The patch is consensus breaking and requires a coordinated upgrade.

Acknowledgement

This issue was found by meadow101 who reported it to the Cosmos Bug Bounty Program on HackerOne.

If you believe you have found a bug in the Interchain Stack or would like to contribute to the
program by reporting a bug, please see https://hackerone.com/cosmos.

Timeline

  • 2024-11-24: Confio receives a report through the Cosmos bug bounty program maintained by Amulet.
  • 2024-12-20: Confio security contributors confirm the report.
  • 2024-01-27: Confio developed the patch internally.
  • 2025-02-04: Patch gets released.

References

  • GHSA-mx2j-7cmv-353c
  • CosmWasm/cosmwasm@2b7f2fa
  • CosmWasm/cosmwasm@a5d62f6
  • CosmWasm/cosmwasm@d6143b0
  • CosmWasm/cosmwasm@f0c04c0
  • https://github.com/CosmWasm/advisories/blob/main/CWAs/CWA-2025-002.md
  1. following Amulet’s Severity Classification Framework ACMv1.2: https://github.com/interchainio/security/blob/0295254e8645301ccb606d46108a45cede0a73e0/resources/CLASSIFICATION_MATRIX.md ↩

Published to the GitHub Advisory Database

Feb 4, 2025

ghsa: Latest News

GHSA-wc9m-r3v6-9p5h: Sparkle Signing Checks Bypass
ghsa