GHSA-X5VX-95H7-RV4P
Vulnerability from github – Published: 2025-02-20 20:18 – Updated: 2025-02-20 20:18Name: ASA-2025-003: Groups module can halt chain when handling a malicious proposal Component: CosmosSDK Criticality: High (Considerable Impact; Likely Likelihood per ACMv1.2) Affected versions: <= v0.47.15, <= 0.50.11 Affected users: Validators, Full nodes, Users on chains that utilize the groups module
Description
An issue was discovered in the groups module where a malicious proposal would result in a division by zero, and subsequently halt a chain due to the resulting error. Any user that can interact with the groups module can introduce this state.
Patches
The new Cosmos SDK release v0.50.12 and v0.47.16 fix this issue.
Workarounds
There are no known workarounds for this issue. It is advised that chains apply the update.
Timeline
- February 9, 2025, 5:18pm PST: Issue reported to the Cosmos Bug Bounty program
- February 9, 2025, 8:12am PST: Issue triaged by Amulet on-call, and distributed to Core team
- February 9, 2025, 12:25pm PST: Core team completes validation of issue
- February 18, 2025, 8:00am PST / 17:00 CET: Pre-notification delivered
- February 20, 2025, 8:00am PST / 17:00 CET: Patch made available
This issue was reported to the Cosmos Bug Bounty Program by dongsam on HackerOne on February 9, 2025. If you believe you have found a bug in the Interchain Stack or would like to contribute to the program by reporting a bug, please see https://hackerone.com/cosmos.
If you have questions about Interchain security efforts, please reach out to our official communication channel at security@interchain.io. For more information about the Interchain Foundation’s engagement with Amulet, and to sign up for security notification emails, please see https://github.com/interchainio/security.
A Github Security Advisory for this issue is available in the Cosmos SDK repository.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.47.15"
},
"package": {
"ecosystem": "Go",
"name": "github.com/cosmos/cosmos-sdk"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.47.16-ics-lsm"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.50.11"
},
"package": {
"ecosystem": "Go",
"name": "github.com/cosmos/cosmos-sdk"
},
"ranges": [
{
"events": [
{
"introduced": "0.50.0-alpha.0"
},
{
"fixed": "0.50.12"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-369"
],
"github_reviewed": true,
"github_reviewed_at": "2025-02-20T20:18:25Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "Name: ASA-2025-003: Groups module can halt chain when handling a malicious proposal\nComponent: CosmosSDK\nCriticality: High (Considerable Impact; Likely Likelihood per [ACMv1.2](https://github.com/interchainio/security/blob/main/resources/CLASSIFICATION_MATRIX.md))\nAffected versions: \u003c= v0.47.15, \u003c= 0.50.11\nAffected users: Validators, Full nodes, Users on chains that utilize the groups module\n\n### Description\n\nAn issue was discovered in the groups module where a malicious proposal would result in a division by zero, and subsequently halt a chain due to the resulting error. Any user that can interact with the groups module can introduce this state.\n\n### Patches\n\nThe new Cosmos SDK release [v0.50.12](https://github.com/cosmos/cosmos-sdk/releases/tag/v0.50.12) and [v0.47.16](https://github.com/cosmos/cosmos-sdk/releases/tag/v0.47.16) fix this issue.\n\n### Workarounds\n\nThere are no known workarounds for this issue. It is advised that chains apply the update.\n\n### Timeline\n\n* February 9, 2025, 5:18pm PST: Issue reported to the Cosmos Bug Bounty program\n* February 9, 2025, 8:12am PST: Issue triaged by Amulet on-call, and distributed to Core team\n* February 9, 2025, 12:25pm PST: Core team completes validation of issue\n* February 18, 2025, 8:00am PST / 17:00 CET: Pre-notification delivered\n* February 20, 2025, 8:00am PST / 17:00 CET: Patch made available\n\nThis issue was reported to the Cosmos Bug Bounty Program by [dongsam](https://github.com/dongsam) on HackerOne on February 9, 2025. If you believe you have found a bug in the Interchain Stack or would like to contribute to the program by reporting a bug, please see https://hackerone.com/cosmos.\n\nIf you have questions about Interchain security efforts, please reach out to our official communication channel at [security@interchain.io](mailto:security@interchain.io). For more information about the Interchain Foundation\u2019s engagement with Amulet, and to sign up for security notification emails, please see https://github.com/interchainio/security. \n\nA Github Security Advisory for this issue is available in the Cosmos SDK [repository](https://github.com/cosmos/cosmos-sdk/security/advisories/GHSA-x5vx-95h7-rv4p).",
"id": "GHSA-x5vx-95h7-rv4p",
"modified": "2025-02-20T20:18:25Z",
"published": "2025-02-20T20:18:25Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/cosmos/cosmos-sdk/security/advisories/GHSA-x5vx-95h7-rv4p"
},
{
"type": "WEB",
"url": "https://github.com/cosmos/cosmos-sdk/commit/0a98b65b24900a0e608866c78f172cf8e4140aea"
},
{
"type": "PACKAGE",
"url": "https://github.com/cosmos/cosmos-sdk"
},
{
"type": "WEB",
"url": "https://github.com/cosmos/cosmos-sdk/releases/tag/v0.47.16"
},
{
"type": "WEB",
"url": "https://github.com/cosmos/cosmos-sdk/releases/tag/v0.50.12"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Cosmos SDK: Groups module can halt chain when handling a malicious proposal"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.