GHSA-JG6F-48FF-5XRW

GHSA-JG6F-48FF-5XRW is a critical-severity insecure deserialization vulnerability in github.com/cosmos/ibc-go (go), affecting versions < 7.9.2. It is fixed in 7.9.2, 8.6.1.

Does this CVE actually affect you?

Kodem shows which CVEs are reachable and running in your applications, so you fix what's exploitable, not just what's listed.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Runtime intelligence, not another scanner.

Summary

IBC-Go has Non-deterministic JSON Unmarshalling of IBC Acknowledgement

Name: ASA-2025-004: Non-deterministic JSON Unmarshalling of IBC Acknowledgement can result in a chain halt
Component: IBC-Go
Criticality: Critical (Considerable Impact; Almost Certain Likelihood per ACMv1.2)
Affected versions: IBC-Go >= v7; Earlier IBC-Go versions may also be affected.
Affected users: Validators, Full nodes, IBC Middleware authors

Description

An issue was discovered in IBC-Go's deserialization of acknowledgements that results in non-deterministic behavior which can halt a chain. Any user that can open an IBC channel can introduce this state to the chain

Workarounds

To prevent this state from being introduced to a chain, it is possible to permission Channel Opening as a workaround.

Notes on Re-Release

Is this state breaking? Probably not but it depends on your transfer middlewares

This patch is not state breaking unless you depend on transfer middlewares that deserialize and serialize acknowledgement packets before passing them to the transfer handler. As far as we can tell, these middlewares are rare. For example, packet-forward-middleware and ibc-hooks, do not serialize ack packets in this way and therefore aren't broken by this patch. So if these are the only transfer middlewares you depend on, you can safely apply this patch in a rolling manner (and we've already cut new versions of these for you).

What to do if you do depend on ack-serializing middleware

In the unlikely case that you depend on middlewares that serialize ack packets and you do not update them when you apply this patch, all transfers that are handled by the middleware will fail (or experience other unexpected behavior) if the serialization approach differs from the transfer app's. If you have such dependencies and do not update them, validators who apply the patch in a rolling manner will halt when they upgrade, and transfers processed by the middleware will just fail once everyone has upgraded.

To update these middlewares and avoid failing transfers or a chain halt, you will simply need to change the serialization approach in the middleware to use ibc-go's codec: transfertypes.ModuleCdc.[Must]MarshalJSON, rather than whatever you're doing today. For example:

import transfertypes "github.com/cosmos/ibc-go/v10/modules/apps/transfer/types"
transfertypes.ModuleCdc.[Must]MarshalJSON
func MarshalAsIBCDoes(ack channeltypes.Acknowledgement) ([]byte, error) {
	return transfertypes.ModuleCdc.MarshalJSON(&ack)
}

When you do make a change to the serialization approach, this will make the patch state breaking and you will need a coordinated upgrade. So for absolute clarity: chains with these ack-serializing middlewares must do coordinated upgrades

Why we retracted the earlier patch in favor of this approach

We retracted the releases of ibc-go we cut earlier today because these broke all transfer middlewares that deserialized then re-serialized receive packets differently than the transfer app. It turned out that this was a common pattern (unlike serializing/deserializing ack packets), so widely used middlewares, including packet-forward-middleware, broke unexpectedly.

In the new set of patches, we removed this constraint on how middlewares serialize receive packets, preventing this breakage. Only the serialization requirement on acknowledgement packets remains. This is convenient because this is the only constraint we had to add to fix the vulnerability, and middlewares that deserialize and serialize ack packets are much less common than ones that do so for receive packets. The constraint on receive packets was added for defense in depth.

Testing we have done to gain more confidence in this release

  • In addition to testing ibc-go, we also did the following:
  • Tested pfm v7 and v8 after bumping dependencies
  • Tested ibc-hooks v7 and v8 after bumping dependencies
  • Ran a patched node on mainnet on the cosmos hub and triggered failing and successful transactions that used PFM
  • Ran a patched node on osmosis and triggered failing and successful transactions that used ibc-hooks
    This is a more thorough process than before, so we have higher confidence.

Timeline

  • February 18, 2025, 4:54am PST: Issue reported to the Cosmos Bug Bounty program
  • February 18, 2025, 6:56am PST: Issue triaged by Amulet on-call, and distributed to Core team
  • February 18, 2025, 8:15am PST: Core team completes validation of issue
  • February 25, 2025, 8:00am PST / 17:00 CET: Pre-notification delivered
  • February 27, 2025, 8:00am PST / 17:00 CET: Patch made available
  • February 27, 2025, 1:00pm PST: Patch re-release made available

This issue was reported to the Cosmos Bug Bounty Program by swelf19 on HackerOne on February 18, 2025. If you believe you have found a bug in the Interchain Stack or would like to contribute to the program by reporting a bug, please see https://hackerone.com/cosmos.

If you have questions about Interchain security efforts, please reach out to our official communication channel at [email protected]. For more information about the Interchain Foundation’s engagement with Amulet, and to sign up for security notification emails, please see https://github.com/interchainio/security.

A Github Security Advisory for this issue is available in the IBC-Go repository.

Impact

Untrusted serialized data is processed by a deserializer that can instantiate arbitrary objects or execute code as a side effect. Typical impact: arbitrary code execution or logic abuse.

Affected versions

github.com/cosmos/ibc-go (< 7.9.2) github.com/cosmos/ibc-go/v2 (< 7.9.2) github.com/cosmos/ibc-go/v3 (< 7.9.2) github.com/cosmos/ibc-go/v4 (< 7.9.2) github.com/cosmos/ibc-go/v5 (< 7.9.2) github.com/cosmos/ibc-go/v6 (< 7.9.2) github.com/cosmos/ibc-go/v7 (< 7.9.2) github.com/cosmos/ibc-go/v8 (< 8.6.1)

Security releases

github.com/cosmos/ibc-go/v7 → 7.9.2 (go) github.com/cosmos/ibc-go/v8 → 8.6.1 (go)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

Already deployed Kodem?

See it in your environmentNew to Kodem? Get a demo →

Remediation advice

The new IBC-Go releases below address this issue:

Frequently Asked Questions

  1. What is GHSA-JG6F-48FF-5XRW? GHSA-JG6F-48FF-5XRW is a critical-severity insecure deserialization vulnerability in github.com/cosmos/ibc-go (go), affecting versions < 7.9.2. It is fixed in 7.9.2, 8.6.1. Untrusted serialized data is processed by a deserializer that can instantiate arbitrary objects or execute code as a side effect.
  2. Which packages are affected by GHSA-JG6F-48FF-5XRW?
    • github.com/cosmos/ibc-go (go) (versions < 7.9.2)
    • github.com/cosmos/ibc-go/v2 (go) (versions < 7.9.2)
    • github.com/cosmos/ibc-go/v3 (go) (versions < 7.9.2)
    • github.com/cosmos/ibc-go/v4 (go) (versions < 7.9.2)
    • github.com/cosmos/ibc-go/v5 (go) (versions < 7.9.2)
    • github.com/cosmos/ibc-go/v6 (go) (versions < 7.9.2)
    • github.com/cosmos/ibc-go/v7 (go) (versions < 7.9.2)
    • github.com/cosmos/ibc-go/v8 (go) (versions < 8.6.1)
  3. Is there a fix for GHSA-JG6F-48FF-5XRW? Yes. GHSA-JG6F-48FF-5XRW is fixed in 7.9.2, 8.6.1. Upgrade to this version or later.
  4. Is GHSA-JG6F-48FF-5XRW exploitable, and should I be worried? Whether GHSA-JG6F-48FF-5XRW is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  5. What actually determines whether GHSA-JG6F-48FF-5XRW is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  6. How do I fix GHSA-JG6F-48FF-5XRW?
    • Upgrade github.com/cosmos/ibc-go/v7 to 7.9.2 or later
    • Upgrade github.com/cosmos/ibc-go/v8 to 8.6.1 or later

Other vulnerabilities in github.com/cosmos/ibc-go

Stop the waste.
Protect your environment with Kodem.