Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:golang/github.com/tharsis/ethermint@0.10.0
Typegolang
Namespacegithub.com/tharsis
Nameethermint
Version0.10.0
Qualifiers
Subpath
Is_vulnerablefalse
Next_non_vulnerable_versionnull
Latest_non_vulnerable_versionnull
Affected_by_vulnerabilities
Fixing_vulnerabilities
0
url VCID-22ms-bx5h-ruc6
vulnerability_id VCID-22ms-bx5h-ruc6
summary 
Drainage of FeeCollector's Block Transaction Fees in cronos
### Impact
In Cronos nodes running versions before v0.6.5, it is possible to take transaction fees from Cosmos SDK's FeeCollector for the current block by sending a custom crafted MsgEthereumTx.

User funds and balances are safe.


### Patches
This problem has been patched in Cronos v0.6.5 on the mempool level.
The next network upgrade with consensus-breaking changes will patch it on the consensus level.

### Workarounds
There are no tested workarounds. All validator node operators are recommended to upgrade to Cronos v0.6.5 at their earliest possible convenience.

### Credits
Thank you to @zb3 for reporting this issue on [Cronos Immunefi Bug Bounty Program](https://immunefi.com/bounty/cronos/), to @cyril-crypto for reproducing the issue and to @yihuang and @thomas-nguy for patching the issue on the CheckTx (mempool) and the DeliverTx (consensus) levels.

### For more information
If you have any questions or comments about this advisory:
* Open a discussion in [crypto-org-chain/cronos](https://github.com/crypto-org-chain/cronos/discussions/new)
* Email us at [chain@crypto.org](mailto:chain@crypto.org)
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2021-43839
reference_id
reference_type
scores
0
value 0.00289
scoring_system epss
scoring_elements 0.52551
published_at 2026-06-04T12:55:00Z
1
value 0.00289
scoring_system epss
scoring_elements 0.52596
published_at 2026-06-09T12:55:00Z
2
value 0.00289
scoring_system epss
scoring_elements 0.52573
published_at 2026-06-08T12:55:00Z
3
value 0.00289
scoring_system epss
scoring_elements 0.526
published_at 2026-06-07T12:55:00Z
4
value 0.00289
scoring_system epss
scoring_elements 0.52618
published_at 2026-06-06T12:55:00Z
5
value 0.00289
scoring_system epss
scoring_elements 0.52611
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2021-43839
1
reference_url https://github.com/crypto-org-chain/cronos
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/crypto-org-chain/cronos
2
reference_url https://github.com/crypto-org-chain/cronos/commit/150ef237b37ac28c8136e1c0f494932860b9ebe8
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/crypto-org-chain/cronos/commit/150ef237b37ac28c8136e1c0f494932860b9ebe8
3
reference_url https://github.com/crypto-org-chain/cronos/pull/270
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/crypto-org-chain/cronos/pull/270
4
reference_url https://github.com/crypto-org-chain/cronos/security/advisories/GHSA-f854-hpxv-cw9r
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/crypto-org-chain/cronos/security/advisories/GHSA-f854-hpxv-cw9r
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-43839
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2021-43839
fixed_packages
0
url pkg:golang/github.com/tharsis/ethermint@0.7.3
purl pkg:golang/github.com/tharsis/ethermint@0.7.3
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:golang/github.com/tharsis/ethermint@0.7.3
1
url pkg:golang/github.com/tharsis/ethermint@0.10.0
purl pkg:golang/github.com/tharsis/ethermint@0.10.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:golang/github.com/tharsis/ethermint@0.10.0
aliases CVE-2021-43839, GHSA-f854-hpxv-cw9r
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-22ms-bx5h-ruc6
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:golang/github.com/tharsis/ethermint@0.10.0