GHSA-P22H-3M2V-CMGH

Vulnerability from github – Published: 2025-07-08 23:33 – Updated: 2025-07-08 23:33
VLAI
Summary
Cosmos SDK's Integer Overflow vulnerability in its Validator Rewards pool can cause a chain halt
Details

Description Name: ISA-2025-005: Integer Overflow in Cosmos SDK Component: CosmosSDK Criticality: High (Considerable Impact; Likely Likelihood per ACMv1.2) Affected versions: <= v0.50.13, <= 0.53.2 Affected users: Validators, Full nodes, Users on chains that utilize the distribution module Cosmos SDK chains in unpatched releases that use the x/distribution module are affected.

Description An issue was discovered in the distribution module where a malicious deposit into the Validator Rewards pool would result in an integer overflow that would cause a chain halt. A malicious validator can interact with the distribution module to introduce this state.

Patches Has the problem been patched? What versions should users upgrade to?

The new Cosmos SDK release v0.50.14 and v0.53.3 fix this issue.

There are no known workarounds for this issue. It is advised that chains apply the update.

This issue was reported to the Cosmos Bug Bounty Program by myte1111111 on HackerOne on April 15, 2025. If you believe you have found a bug in the Interchain Stack or would like to contribute to the program by reporting a bug, please see https://hackerone.com/cosmos.

If you have questions about Interchain security efforts, please reach out to our official communication channel at security@interchain.io. For more information about the Interchain Foundation’s engagement with Amulet, and to sign up for security notification emails, please see https://github.com/interchainio/security.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/cosmos/cosmos-sdk"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.50.14"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/cosmos/cosmos-sdk"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.52.0-alpha.1"
            },
            {
              "fixed": "0.53.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-190"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-07-08T23:33:08Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "Description\nName: ISA-2025-005: Integer Overflow in Cosmos SDK\nComponent: CosmosSDK\nCriticality: High (Considerable Impact; Likely Likelihood per [ACMv1.2](https://github.com/interchainio/security/blob/main/resources/CLASSIFICATION_MATRIX.md))\nAffected versions: \u003c= v0.50.13, \u003c= 0.53.2\nAffected users: Validators, Full nodes, Users on chains that utilize the distribution module\nCosmos SDK chains in unpatched releases that use the x/distribution module are affected.\n\nDescription\nAn issue was discovered in the distribution module where a malicious deposit into the Validator Rewards pool would result in an integer overflow that would cause a chain halt. A malicious validator can interact with the distribution module to introduce this state.\n\nPatches\nHas the problem been patched? What versions should users upgrade to?\n\nThe new Cosmos SDK release [v0.50.14](https://github.com/cosmos/cosmos-sdk/releases/tag/v0.50.14) and [v0.53.3](https://github.com/cosmos/cosmos-sdk/releases/tag/v0.53.3) fix this issue.\n\nThere are no known workarounds for this issue. It is advised that chains apply the update.\n\nThis issue was reported to the Cosmos Bug Bounty Program by `myte1111111` on HackerOne on April 15, 2025. If you believe you have found a bug in the Interchain Stack or would like to contribute to the program by reporting a bug, please see https://hackerone.com/cosmos.\n\nIf you have questions about Interchain security efforts, please reach out to our official communication channel at [security@interchain.io](mailto:security@interchain.io). For more information about the Interchain Foundation\u2019s engagement with Amulet, and to sign up for security notification emails, please see https://github.com/interchainio/security.",
  "id": "GHSA-p22h-3m2v-cmgh",
  "modified": "2025-07-08T23:33:08Z",
  "published": "2025-07-08T23:33:08Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/cosmos/cosmos-sdk/security/advisories/GHSA-p22h-3m2v-cmgh"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cosmos/cosmos-sdk/commit/c4a14fa7b6828432fdabdb8b4af68ade9403ce49"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cosmos/cosmos-sdk/commit/f2e6295b662fdb27ea33da1296c29588ccdaab42"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/cosmos/cosmos-sdk"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:U",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Cosmos SDK\u0027s Integer Overflow vulnerability in its Validator Rewards pool can cause a chain halt"
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…