{"url":"http://public2.vulnerablecode.io/api/packages/377321?format=json","purl":"pkg:golang/github.com/CosmWasm/wasmvm@0.0.0-20250204093451-1f4db20199b8","type":"golang","namespace":"github.com/CosmWasm","name":"wasmvm","version":"0.0.0-20250204093451-1f4db20199b8","qualifiers":{},"subpath":"","is_vulnerable":false,"next_non_vulnerable_version":"0.0.0-20250204093451-1f4db20199b8","latest_non_vulnerable_version":"1.5.8","affected_by_vulnerabilities":[],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/360596?format=json","vulnerability_id":"VCID-um8d-yxef-xkbs","summary":"wasmvm: Malicious smart contract can slow down block production\n# CWA-2025-002\n\n**Severity**\n\nMedium (Moderate + Likely)[^1]\n\n**Affected versions:**\n\n- wasmvm >= 2.2.0, < 2.2.2\n- wasmvm >= 2.1.0, < 2.1.5\n- wasmvm >= 2.0.0, < 2.0.6\n- wasmvm < 1.5.8\n\n**Patched versions:**\n\n- wasmvm 1.5.8, 2.0.6, 2.1.5, 2.2.2\n\n## Description of the bug\n\nThe vulnerability can be used to slow down block production. The attack requires a malicious contract,\nso permissioned chains are unlikely to be affected.\n\n(We'll add more detail once chains had a chance to upgrade.)\n\n## Patch\n\n- 1.5: https://github.com/CosmWasm/cosmwasm/commit/2b7f2faa57a1efc8207455c37f87f1eee6035a27\n- 2.0: https://github.com/CosmWasm/cosmwasm/commit/d6143b0aff16a39bbea4be37597d8e9d9b213d3b\n- 2.1: https://github.com/CosmWasm/cosmwasm/commit/f0c04c03cbe2557634c1bbcdc2ce203fe7caca58\n- 2.2: https://github.com/CosmWasm/cosmwasm/commit/a5d62f65b5eb947ebe40e2085b1c48a9d0a244d0\n\n## Applying the patch\n\nThe patch will be shipped in releases of wasmvm. You can update more or less as follows:\n\n1. Check the current wasmvm version: `go list -m github.com/CosmWasm/wasmvm`\n2. Bump the `github.com/CosmWasm/wasmvm` dependency in your go.mod to one of the patched version\n   depending on which minor version you are on; `go mod tidy`; commit.\n3. If you use the static libraries `libwasmvm_muslc.aarch64.a`/`libwasmvm_muslc.x86_64.a`, update them accordingly.\n4. Check the updated wasmvm version: `go list -m github.com/CosmWasm/wasmvm` and ensure you see 1.5.8, 2.0.6, 2.1.5 or 2.2.2.\n5. Follow your regular practices to deploy chain upgrades.\n\nThe patch is consensus breaking and requires a coordinated upgrade.\n\n## Acknowledgement\n\nThis issue was found by meadow101 who reported it to the Cosmos Bug Bounty Program on HackerOne.\n\nIf you believe you have found a bug in the Interchain Stack or would like to contribute to the\nprogram by reporting a bug, please see <https://hackerone.com/cosmos>.\n\n## Timeline\n\n- 2024-11-24: Confio receives a report through the Cosmos bug bounty program maintained by Amulet.\n- 2024-12-20: Confio security contributors confirm the report.\n- 2024-01-27: Confio developed the patch internally.\n- 2025-02-04: Patch gets released.\n\n[^1]: following Amulet's Severity Classification Framework ACMv1.2: https://github.com/interchainio/security/blob/0295254e8645301ccb606d46108a45cede0a73e0/resources/CLASSIFICATION_MATRIX.md","references":[{"reference_url":"https://github.com/CosmWasm/advisories/blob/main/CWAs/CWA-2025-002.md","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/CosmWasm/advisories/blob/main/CWAs/CWA-2025-002.md"},{"reference_url":"https://github.com/CosmWasm/cosmwasm/commit/2b7f2faa57a1efc8207455c37f87f1eee6035a27","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/CosmWasm/cosmwasm/commit/2b7f2faa57a1efc8207455c37f87f1eee6035a27"},{"reference_url":"https://github.com/CosmWasm/cosmwasm/commit/a5d62f65b5eb947ebe40e2085b1c48a9d0a244d0","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/CosmWasm/cosmwasm/commit/a5d62f65b5eb947ebe40e2085b1c48a9d0a244d0"},{"reference_url":"https://github.com/CosmWasm/cosmwasm/commit/d6143b0aff16a39bbea4be37597d8e9d9b213d3b","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/CosmWasm/cosmwasm/commit/d6143b0aff16a39bbea4be37597d8e9d9b213d3b"},{"reference_url":"https://github.com/CosmWasm/cosmwasm/commit/f0c04c03cbe2557634c1bbcdc2ce203fe7caca58","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/CosmWasm/cosmwasm/commit/f0c04c03cbe2557634c1bbcdc2ce203fe7caca58"},{"reference_url":"https://github.com/CosmWasm/wasmvm","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/CosmWasm/wasmvm"},{"reference_url":"https://github.com/CosmWasm/wasmvm/security/advisories/GHSA-mx2j-7cmv-353c","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/CosmWasm/wasmvm/security/advisories/GHSA-mx2j-7cmv-353c"},{"reference_url":"https://pkg.go.dev/vuln/GO-2025-3449","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://pkg.go.dev/vuln/GO-2025-3449"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/377321?format=json","purl":"pkg:golang/github.com/CosmWasm/wasmvm@0.0.0-20250204093451-1f4db20199b8","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:golang/github.com/CosmWasm/wasmvm@0.0.0-20250204093451-1f4db20199b8"},{"url":"http://public2.vulnerablecode.io/api/packages/377323?format=json","purl":"pkg:golang/github.com/CosmWasm/wasmvm@1.5.8-0.20250204093451-1f4db20199b8","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:golang/github.com/CosmWasm/wasmvm@1.5.8-0.20250204093451-1f4db20199b8"},{"url":"http://public2.vulnerablecode.io/api/packages/377317?format=json","purl":"pkg:golang/github.com/CosmWasm/wasmvm@1.5.8","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:golang/github.com/CosmWasm/wasmvm@1.5.8"}],"aliases":["GHSA-mx2j-7cmv-353c"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-um8d-yxef-xkbs"}],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:golang/github.com/CosmWasm/wasmvm@0.0.0-20250204093451-1f4db20199b8"}