GHSA-47ww-ff84-4jrg

Name: ISA-2025-002: x/group can halt when erroring in EndBlocker Component: CosmosSDK Criticality: High (Considerable Impact; Likely Likelihood per ACMv1.2) Affected versions: <= v0.47.16, <= 0.50.12 Affected users: Validators, Full nodes, Users on chains that utilize the groups module Cosmos SDK chains in unpatched releases that use the x/group module are affected.

Description

An issue was discovered in the groups module where malicious proposals would result in an errors triggered in the module's end blocker that could result in a chain halt. Any set of users that can interact with the groups module could introduce this state.

Patches

Has the problem been patched? What versions should users upgrade to?

The new Cosmos SDK release v0.50.13 and v0.47.17 fix this issue.

Testing

Testing we have done to gain more confidence in this release:

In addition to testing Cosmos SDK we also did the following:

• Ran a patched node in a local v0.50 testnet with the failing state and did not halt (an unpatched network confirmed to halt)
• Ran a patched node on Xion Mainnet (uses x/group)
• Ran a patched node on Zetachain Mainnet (uses x/xgroup)

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

There are no known workarounds for this issue. It is advised that chains apply the update.

This issue was reported to the Cosmos Bug Bounty Program by dongsam on HackerOne on February 28, 2025. If you believe you have found a bug in the Interchain Stack or would like to contribute to the program by reporting a bug, please see https://hackerone.com/cosmos.

If you have questions about Interchain security efforts, please reach out to our official communication channel at security@interchain.io. For more information about the Interchain Foundation’s engagement with Amulet, and to sign up for security notification emails, please see https://github.com/interchainio/security.