Severity
Medium (Moderate + Likely)[^1]
Affected versions:
Patched versions:
The vulnerability can be used to slow down block production. The attack requires a malicious contract, so permissioned chains are unlikely to be affected.
(We'll add more detail once chains had a chance to upgrade.)
The patch will be shipped in releases of wasmvm. You can update more or less as follows:
go list -m github.com/CosmWasm/wasmvm
github.com/CosmWasm/wasmvm
dependency in your go.mod to one of the patched version
depending on which minor version you are on; go mod tidy
; commit.libwasmvm_muslc.aarch64.a
/libwasmvm_muslc.x86_64.a
, update them accordingly.go list -m github.com/CosmWasm/wasmvm
and ensure you see 1.5.8, 2.0.6, 2.1.5 or 2.2.2.The patch is consensus breaking and requires a coordinated upgrade.
This issue was found by meadow101 who reported it to the Cosmos Bug Bounty Program on HackerOne.
If you believe you have found a bug in the Interchain Stack or would like to contribute to the program by reporting a bug, please see https://hackerone.com/cosmos.
{ "nvd_published_at": null, "cwe_ids": [], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2025-02-04T18:57:21Z" }