GHSA-8WCC-M6J2-QXVM

GHSA-8WCC-M6J2-QXVM is a high-severity uncontrolled resource consumption vulnerability in github.com/cosmos/cosmos-sdk (go), affecting versions >= 0.50.0-alpha.0, < 0.50.11. It is fixed in 0.50.11, 0.47.15, 0.13.7.

Does this CVE actually affect you?

Kodem shows which CVEs are reachable and running in your applications, so you fix what's exploitable, not just what's listed.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Runtime intelligence, not another scanner.

Summary

ASA-2024-0012, ASA-2024-0013: CosmosSDK: Transaction decoding may result in a stack overflow or resource exhaustion

ASA-2024-0012

Name: ASA-2024-0012, Transaction decoding may result in a stack overflow
Component: Cosmos SDK
Criticality: High (Considerable Impact, and Possible Likelihood per ACMv1.2)
Affected versions: cosmos-sdk versions <= v0.50.10, <= v0.47.14
Affected users: Chain Builders + Maintainers, Validators, node operators

ASA-2024-0013

Name: ASA-2024-0013: CosmosSDK: Transaction decoding may result in resource exhaustion
Component: Cosmos SDK
Criticality: High (Considerable Impact, and Possible Likelihood per ACMv1.2)
Affected versions: cosmos-sdk versions <= v0.50.10, <= v0.47.14
Affected users: Chain Builders + Maintainers, Validators, node operators

ASA-2024-0012

When decoding a maliciously formed packet with a deeply-nested structure, it may be possible for a stack overflow to occur and result in a network halt. This was addressed by adding a recursion limit while decoding the packet.

ASA-2024-0013

Nested messages in a transaction can consume exponential cpu and memory on UnpackAny calls. Themax_tx_bytes sets a limit for external TX but is not applied for internal messages emitted by wasm contracts or a malicious validator block. This may result in a node crashing due to resource exhaustion. This was addressed by adding additional validation to prevent this condition.

Timeline for ASA-2024-0012

  • October 1, 2024, 12:29pm UTC: Issue reported to the Cosmos Bug Bounty program
  • October 1, 2024, 2:47pm UTC: Issue triaged by Amulet on-call, and distributed to Core team
  • December 9, 2024, 11:13am UTC: Core team completes patch for issue
  • Dec 14, 2024,16:00 UTC: Pre-notification delivered
  • Dec 16, 2024, 16:00 UTC: Patch made available

This issue was reported to the Cosmos Bug Bounty Program on HackerOne on October 1, 2024.

Timeline for ASA-2024-0013

  • October 19, 2024, 8:12pm UTC: Issue reported to the Cosmos Bug Bounty program
  • October 19, 2024, 8:28pm UTC: Issue triaged by Amulet on-call, and distributed to Core team
  • December 11, 2024, 3:31pm UTC: Core team completes patch for issue
  • Dec 14, 2024, 16:00 UTC: Pre-notification delivered
  • Dec 16, 2024, 16:00 UTC: Patch made available

This issue was reported by LonelySloth to the Cosmos Bug Bounty Program on HackerOne on October 19, 2024.

If you believe you have found a bug in the Interchain Stack or would like to contribute to the program by reporting a bug, please see https://hackerone.com/cosmos.

If you have questions about Interchain security efforts, please reach out to our official communication channel at [email protected]. For more information about the Interchain Foundation’s engagement with Amulet, and to sign up for security notification emails, please see https://github.com/interchainio/security.

Impact

Crafted input forces the application to consume excessive CPU, memory, or other resources, degrading or denying service. Typical impact: denial of service.

Affected versions

github.com/cosmos/cosmos-sdk (>= 0.50.0-alpha.0, < 0.50.11) github.com/cosmos/cosmos-sdk (< 0.47.15) cosmossdk.io/x/tx (< 0.13.7)

Security releases

github.com/cosmos/cosmos-sdk → 0.50.11 (go) github.com/cosmos/cosmos-sdk → 0.47.15 (go) cosmossdk.io/x/tx → 0.13.7 (go)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

Already deployed Kodem?

See it in your environmentNew to Kodem? Get a demo →

Remediation advice

The issues above are resolved in Cosmos SDK versions v0.47.15 or v0.50.11.
Please upgrade ASAP.

Frequently Asked Questions

  1. What is GHSA-8WCC-M6J2-QXVM? GHSA-8WCC-M6J2-QXVM is a high-severity uncontrolled resource consumption vulnerability in github.com/cosmos/cosmos-sdk (go), affecting versions >= 0.50.0-alpha.0, < 0.50.11. It is fixed in 0.50.11, 0.47.15, 0.13.7. Crafted input forces the application to consume excessive CPU, memory, or other resources, degrading or denying service.
  2. Which packages are affected by GHSA-8WCC-M6J2-QXVM?
    • github.com/cosmos/cosmos-sdk (go) (versions >= 0.50.0-alpha.0, < 0.50.11)
    • cosmossdk.io/x/tx (go) (versions < 0.13.7)
  3. Is there a fix for GHSA-8WCC-M6J2-QXVM? Yes. GHSA-8WCC-M6J2-QXVM is fixed in 0.50.11, 0.47.15, 0.13.7. Upgrade to this version or later.
  4. Is GHSA-8WCC-M6J2-QXVM exploitable, and should I be worried? Whether GHSA-8WCC-M6J2-QXVM is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  5. What actually determines whether GHSA-8WCC-M6J2-QXVM is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  6. How do I fix GHSA-8WCC-M6J2-QXVM?
    • Upgrade github.com/cosmos/cosmos-sdk to 0.50.11 or later
    • Upgrade github.com/cosmos/cosmos-sdk to 0.47.15 or later
    • Upgrade cosmossdk.io/x/tx to 0.13.7 or later

Other vulnerabilities in github.com/cosmos/cosmos-sdk

Stop the waste.
Protect your environment with Kodem.