GHSA-47WW-FF84-4JRG

Vulnerability from github – Published: 2025-03-12 19:28 – Updated: 2025-08-20 17:39
VLAI
Summary
Cosmos SDK: x/group can halt when erroring in EndBlocker
Details

Name: ISA-2025-002: x/group can halt when erroring in EndBlocker Component: CosmosSDK Criticality: High (Considerable Impact; Likely Likelihood per ACMv1.2) Affected versions: <= v0.47.16, <= 0.50.12 Affected users: Validators, Full nodes, Users on chains that utilize the groups module Cosmos SDK chains in unpatched releases that use the x/group module are affected.

Description

An issue was discovered in the groups module where malicious proposals would result in an errors triggered in the module's end blocker that could result in a chain halt. Any set of users that can interact with the groups module could introduce this state.

Patches

Has the problem been patched? What versions should users upgrade to?

The new Cosmos SDK release v0.50.13 and v0.47.17 fix this issue.

Testing

Testing we have done to gain more confidence in this release:

In addition to testing Cosmos SDK we also did the following:

  • Ran a patched node in a local v0.50 testnet with the failing state and did not halt (an unpatched network confirmed to halt)
  • Ran a patched node on Xion Mainnet (uses x/group)
  • Ran a patched node on Zetachain Mainnet (uses x/xgroup)

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

There are no known workarounds for this issue. It is advised that chains apply the update.

This issue was reported to the Cosmos Bug Bounty Program by wbowling on HackerOne on February 28, 2025. If you believe you have found a bug in the Interchain Stack or would like to contribute to the program by reporting a bug, please see https://hackerone.com/cosmos.

If you have questions about Interchain security efforts, please reach out to our official communication channel at security@interchain.io. For more information about the Interchain Foundation’s engagement with Amulet, and to sign up for security notification emails, please see https://github.com/interchainio/security.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.50.12"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/cosmos/cosmos-sdk"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.50.0-alpha.0"
            },
            {
              "fixed": "0.50.13"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.47.16"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/cosmos/cosmos-sdk"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.47.17"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-755"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-03-12T19:28:42Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "Name: ISA-2025-002: x/group can halt when erroring in EndBlocker\nComponent: CosmosSDK\nCriticality: High (Considerable Impact; Likely Likelihood per [ACMv1.2](https://github.com/interchainio/security/blob/main/resources/CLASSIFICATION_MATRIX.md))\nAffected versions: \u003c= v0.47.16, \u003c= 0.50.12\nAffected users: Validators, Full nodes, Users on chains that utilize the groups module\nCosmos SDK chains in unpatched releases that use the `x/group` module are affected.\n\n### Description\n\nAn issue was discovered in the groups module where malicious proposals would result in an errors triggered in the module\u0027s end blocker that could result in a chain halt.  Any set of users that can interact with the groups module could introduce this state.\n\n### Patches\n_Has the problem been patched? What versions should users upgrade to?_\n\nThe new Cosmos SDK release [v0.50.13](https://github.com/cosmos/cosmos-sdk/releases/tag/v0.50.13) and [v0.47.17](https://github.com/cosmos/cosmos-sdk/releases/tag/v0.47.17) fix this issue.\n\n### Testing\n\nTesting we have done to gain more confidence in this release:\n\nIn addition to testing Cosmos SDK we also did the following:\n\n- Ran a patched node in a local `v0.50` testnet with the failing state and did not halt (an unpatched network confirmed to halt)\n- Ran a patched node on Xion Mainnet (uses `x/group`)\n- Ran a patched node on Zetachain Mainnet (uses `x/xgroup`)\n    \n### Workarounds\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\n\nThere are no known workarounds for this issue. It is advised that chains apply the update.\n\nThis issue was reported to the Cosmos Bug Bounty Program by [wbowling](https://github.com/wbowling) on HackerOne on February 28, 2025. If you believe you have found a bug in the Interchain Stack or would like to contribute to the program by reporting a bug, please see https://hackerone.com/cosmos.\n\nIf you have questions about Interchain security efforts, please reach out to our official communication channel at [security@interchain.io](mailto:security@interchain.io). For more information about the Interchain Foundation\u2019s engagement with Amulet, and to sign up for security notification emails, please see https://github.com/interchainio/security.",
  "id": "GHSA-47ww-ff84-4jrg",
  "modified": "2025-08-20T17:39:56Z",
  "published": "2025-03-12T19:28:42Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/cosmos/cosmos-sdk/security/advisories/GHSA-47ww-ff84-4jrg"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cosmos/cosmos-sdk/commit/cbd69fb1f4fac418c1f8c6253f5f91fb1263776a"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/cosmos/cosmos-sdk"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Cosmos SDK: x/group can halt when erroring in EndBlocker"
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…