GHSA-h2rp-8vpx-q9r4
Suggest an improvement- Source
- https://github.com/advisories/GHSA-h2rp-8vpx-q9r4
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-h2rp-8vpx-q9r4/GHSA-h2rp-8vpx-q9r4.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-h2rp-8vpx-q9r4
- Published
- 2025-03-13T16:26:11Z
- Modified
- 2025-03-13T16:26:11Z
- Summary
- cheqd-node Security patch for upstream vulnerabilities in IBC-Go (ISA-2025-001) and Cosmos SDK (ISA-2025-002)
- Details
-
Description
There have been two upstream security advisories and associated patches published under ISA-2025-001 and ISA-2025-002.
ISA-2025-001 affects the IBC-Go package., where non-deterministic JSON unmarshalling of IBC Acknowledgements can result in a chain halt.
ISA-2025-002 affects the Cosmos SDK package, where
x/groupcan halt when erroring inEndBlocker.Impact
If unaddressed, this could result in a chain halt.
Patches
Validators, full nodes, and IBC relayers should upgrade to cheqd-node v3.1.8. This upgrade does not require a software upgrade proposal on-chain and is meant to be non state-breaking.
- Database specific
{ "nvd_published_at": null, "cwe_ids": [ "CWE-1395" ], "severity": "CRITICAL", "github_reviewed": true, "github_reviewed_at": "2025-03-13T16:26:11Z" }- References
-
- https://github.com/cheqd/cheqd-node/security/advisories/GHSA-h2rp-8vpx-q9r4
- https://github.com/cosmos/cosmos-sdk/security/advisories/GHSA-47ww-ff84-4jrg
- https://github.com/cosmos/ibc-go/security/advisories/GHSA-4wf3-5qj9-368v
- https://github.com/cheqd/cheqd-node/commit/5a58b08dfb8dfc24631fb85b641cb75e9178d07f
- https://github.com/cheqd/cheqd-node
- https://github.com/cheqd/cheqd-node/releases/tag/v3.1.8
Affected packages
Go / github.com/cheqd/cheqd-node
Package
- Name
- github.com/cheqd/cheqd-node
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/cheqd/cheqd-node