GHSA-33cr-m232-xqch
Suggest an improvement- Source
- https://github.com/advisories/GHSA-33cr-m232-xqch
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-33cr-m232-xqch/GHSA-33cr-m232-xqch.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-33cr-m232-xqch
- Aliases
- Published
- 2025-03-11T21:54:29Z
- Modified
- 2025-03-14T20:05:07Z
- Severity
-
- 9.3 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- cheqd-node affected by Non-deterministic JSON Unmarshalling of IBC Acknowledgement
- Details
-
Description
An issue was discovered in IBC-Go's deserialization of acknowledgements that results in non-deterministic behavior which can halt a chain. Any user that can open an IBC channel can introduce this state to the chain.
This an upstream dependency used in cheqd-node, rather than a custom module.
Impact
Could result in a chain halt.
Patches
Validators, full nodes, and IBC relayers should upgrade to cheqd-node v3.1.7. This upgrade does not require a software upgrade proposal on-chain and is meant to be non state-breaking.
References
See ASA-2025-004: Non-deterministic JSON Unmarshalling of IBC Acknowledgement can result in a chain halt upstream on IBC-Go.
- Database specific
{ "nvd_published_at": null, "cwe_ids": [ "CWE-502" ], "severity": "CRITICAL", "github_reviewed": true, "github_reviewed_at": "2025-03-11T21:54:29Z" }- References
-
- https://github.com/cheqd/cheqd-node/security/advisories/GHSA-33cr-m232-xqch
- https://github.com/cosmos/ibc-go/security/advisories/GHSA-jg6f-48ff-5xrw
- https://github.com/cosmos/ibc-go/commit/59987d52d959dc5876ffd4f307c9b33a52a43748
- https://github.com/cheqd/cheqd-node
- https://pkg.go.dev/vuln/GO-2025-3514
Affected packages
Go / github.com/cheqd/cheqd-node
Package
- Name
- github.com/cheqd/cheqd-node
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/cheqd/cheqd-node