GO-2025-3476

See a problem?
Please try reporting it to the source first.
Source
https://pkg.go.dev/vuln/GO-2025-3476
Import Source
https://vuln.go.dev/ID/GO-2025-3476.json
JSON Data
https://api.osv.dev/v1/vulns/GO-2025-3476
Aliases
Published
2025-03-03T16:11:01Z
Modified
2025-03-03T16:27:07.249528Z
Summary
Cosmos SDK: Groups module can halt chain when handling a malicious proposal in github.com/cosmos/cosmos-sdk
Details

Cosmos SDK: Groups module can halt chain when handling a malicious proposal in github.com/cosmos/cosmos-sdk

Database specific 
{
    "url": "https://pkg.go.dev/vuln/GO-2025-3476",
    "review_status": "REVIEWED"
}
References

Affected packages

Go / github.com/cosmos/cosmos-sdk

Package

Name
github.com/cosmos/cosmos-sdk
View open source insights on deps.dev
Purl
pkg:golang/github.com/cosmos/cosmos-sdk

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.47.16-ics-lsm
Introduced
0.50.0-alpha.0
Fixed
0.50.12

Ecosystem specific 

{
    "imports": [
        {
            "symbols": [
                "PercentageDecisionPolicy.Allow"
            ],
            "path": "github.com/cosmos/cosmos-sdk/x/group"
        },
        {
            "symbols": [
                "Keeper.UpdateGroupMembers"
            ],
            "path": "github.com/cosmos/cosmos-sdk/x/group/keeper"
        },
        {
            "symbols": [
                "SimulateMsgUpdateGroupMembers",
                "WeightedOperations"
            ],
            "path": "github.com/cosmos/cosmos-sdk/x/group/simulation"
        }
    ]
}

Database specific

source 
"https://vuln.go.dev/ID/GO-2025-3476.json"