What is the severity of GHSA-mx2j-7cmv-353c?

The severity of GHSA-mx2j-7cmv-353c is classified as Medium.

How do I fix GHSA-mx2j-7cmv-353c?

To fix GHSA-mx2j-7cmv-353c, upgrade to one of the patched versions: wasmvm 1.5.8, 2.0.6, 2.1.5, or 2.2.2.

Which versions of wasmvm are affected by GHSA-mx2j-7cmv-353c?

Affected versions of wasmvm include any version from 2.2.0 up to but not including 2.2.2, from 2.1.0 up to but not including 2.1.5, from 2.0.0 up to but not including 2.0.6, and any version below 1.5.8.

What is the best way to identify if I am using an affected version related to GHSA-mx2j-7cmv-353c?

To identify if you are using an affected version for GHSA-mx2j-7cmv-353c, check your current installed version of wasmvm and compare it with the specified affected ranges.

What is the impact of the vulnerability GHSA-mx2j-7cmv-353c?

The impact of the vulnerability GHSA-mx2j-7cmv-353c may lead to unexpected behavior in applications utilizing the affected wasmvm versions.

Vulnerability/
GHSA-mx2j-7cmv-353c

4/2/2025

GHSA-mx2j-7cmv-353c

First published: Tue Feb 04 2025(Updated: )

# CWA-2025-002 **Severity** Medium (Moderate + Likely)[^1] **Affected versions:** - wasmvm >= 2.2.0, < 2.2.2 - wasmvm >= 2.1.0, < 2.1.5 - wasmvm >= 2.0.0, < 2.0.6 - wasmvm < 1.5.8 **Patched versions:** - wasmvm 1.5.8, 2.0.6, 2.1.5, 2.2.2 ## Description of the bug The vulnerability can be used to slow down block production. The attack requires a malicious contract, so permissioned chains are unlikely to be affected. (We'll add more detail once chains had a chance to upgrade.) ## Patch - 1.5: https://github.com/CosmWasm/cosmwasm/commit/2b7f2faa57a1efc8207455c37f87f1eee6035a27 - 2.0: https://github.com/CosmWasm/cosmwasm/commit/d6143b0aff16a39bbea4be37597d8e9d9b213d3b - 2.1: https://github.com/CosmWasm/cosmwasm/commit/f0c04c03cbe2557634c1bbcdc2ce203fe7caca58 - 2.2: https://github.com/CosmWasm/cosmwasm/commit/a5d62f65b5eb947ebe40e2085b1c48a9d0a244d0 ## Applying the patch The patch will be shipped in releases of wasmvm. You can update more or less as follows: 1. Check the current wasmvm version: `go list -m github.com/CosmWasm/wasmvm` 2. Bump the `github.com/CosmWasm/wasmvm` dependency in your go.mod to one of the patched version depending on which minor version you are on; `go mod tidy`; commit. 3. If you use the static libraries `libwasmvm_muslc.aarch64.a`/`libwasmvm_muslc.x86_64.a`, update them accordingly. 4. Check the updated wasmvm version: `go list -m github.com/CosmWasm/wasmvm` and ensure you see 1.5.8, 2.0.6, 2.1.5 or 2.2.2. 5. Follow your regular practices to deploy chain upgrades. The patch is consensus breaking and requires a coordinated upgrade. ## Acknowledgement This issue was found by meadow101 who reported it to the Cosmos Bug Bounty Program on HackerOne. If you believe you have found a bug in the Interchain Stack or would like to contribute to the program by reporting a bug, please see <https://hackerone.com/cosmos>. ## Timeline - 2024-11-24: Confio receives a report through the Cosmos bug bounty program maintained by Amulet. - 2024-12-20: Confio security contributors confirm the report. - 2024-01-27: Confio developed the patch internally. - 2025-02-04: Patch gets released. [^1]: following Amulet's Severity Classification Framework ACMv1.2: https://github.com/interchainio/security/blob/0295254e8645301ccb606d46108a45cede0a73e0/resources/CLASSIFICATION_MATRIX.md

Affected Software	Affected Version	How to fix
go/github.com/CosmWasm/wasmvm/v2	>=2.0.0<2.0.6	2.0.6
go/github.com/CosmWasm/wasmvm/v2	>=2.1.0<2.1.5	2.1.5
go/github.com/CosmWasm/wasmvm/v2	>=2.2.0<2.2.2	2.2.2
go/github.com/CosmWasm/wasmvm	<1.5.8	1.5.8
rust/cosmwasm-vm	<1.5.10	1.5.10
rust/cosmwasm-vm	>=2.0.0<2.0.9	2.0.9
rust/cosmwasm-vm	>=2.1.0<2.1.6	2.1.6
rust/cosmwasm-vm	=2.2.0	2.2.1

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of GHSA-mx2j-7cmv-353c?
The severity of GHSA-mx2j-7cmv-353c is classified as Medium.
How do I fix GHSA-mx2j-7cmv-353c?
To fix GHSA-mx2j-7cmv-353c, upgrade to one of the patched versions: wasmvm 1.5.8, 2.0.6, 2.1.5, or 2.2.2.
Which versions of wasmvm are affected by GHSA-mx2j-7cmv-353c?
Affected versions of wasmvm include any version from 2.2.0 up to but not including 2.2.2, from 2.1.0 up to but not including 2.1.5, from 2.0.0 up to but not including 2.0.6, and any version below 1.5.8.
What is the best way to identify if I am using an affected version related to GHSA-mx2j-7cmv-353c?
To identify if you are using an affected version for GHSA-mx2j-7cmv-353c, check your current installed version of wasmvm and compare it with the specified affected ranges.
What is the impact of the vulnerability GHSA-mx2j-7cmv-353c?
The impact of the vulnerability GHSA-mx2j-7cmv-353c may lead to unexpected behavior in applications utilizing the affected wasmvm versions.

collector/github-advisory-latest
source/GitHub
alias/GHSA-mx2j-7cmv-353c
agent/software-canonical-lookup
agent/last-modified-date
agent/references
agent/source
agent/description
agent/softwarecombine
agent/type
agent/tags
agent/first-publish-date
agent/event
package-manager/go
package-manager/rust