{ "schema_version": "1.4.0", "id": "GHSA-x5vx-95h7-rv4p", "modified": "2025-02-20T20:18:25Z", "published": "2025-02-20T20:18:25Z", "aliases": [], "summary": "Cosmos SDK: Groups module can halt chain when handling a malicious proposal", "details": "Name: ASA-2025-003: Groups module can halt chain when handling a malicious proposal\nComponent: CosmosSDK\nCriticality: High (Considerable Impact; Likely Likelihood per [ACMv1.2](https://github.com/interchainio/security/blob/main/resources/CLASSIFICATION_MATRIX.md))\nAffected versions: <= v0.47.15, <= 0.50.11\nAffected users: Validators, Full nodes, Users on chains that utilize the groups module\n\n### Description\n\nAn issue was discovered in the groups module where a malicious proposal would result in a division by zero, and subsequently halt a chain due to the resulting error. Any user that can interact with the groups module can introduce this state.\n\n### Patches\n\nThe new Cosmos SDK release [v0.50.12](https://github.com/cosmos/cosmos-sdk/releases/tag/v0.50.12) and [v0.47.16](https://github.com/cosmos/cosmos-sdk/releases/tag/v0.47.16) fix this issue.\n\n### Workarounds\n\nThere are no known workarounds for this issue. It is advised that chains apply the update.\n\n### Timeline\n\n* February 9, 2025, 5:18pm PST: Issue reported to the Cosmos Bug Bounty program\n* February 9, 2025, 8:12am PST: Issue triaged by Amulet on-call, and distributed to Core team\n* February 9, 2025, 12:25pm PST: Core team completes validation of issue\n* February 18, 2025, 8:00am PST / 17:00 CET: Pre-notification delivered\n* February 20, 2025, 8:00am PST / 17:00 CET: Patch made available\n\nThis issue was reported to the Cosmos Bug Bounty Program by [dongsam](https://github.com/dongsam) on HackerOne on February 9, 2025. If you believe you have found a bug in the Interchain Stack or would like to contribute to the program by reporting a bug, please see https://hackerone.com/cosmos.\n\nIf you have questions about Interchain security efforts, please reach out to our official communication channel at [security@interchain.io](mailto:security@interchain.io). For more information about the Interchain Foundation’s engagement with Amulet, and to sign up for security notification emails, please see https://github.com/interchainio/security. \n\nA Github Security Advisory for this issue is available in the Cosmos SDK [repository](https://github.com/cosmos/cosmos-sdk/security/advisories/GHSA-x5vx-95h7-rv4p).", "severity": [ { "type": "CVSS_V4", "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" } ], "affected": [ { "package": { "ecosystem": "Go", "name": "github.com/cosmos/cosmos-sdk" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "0.47.16-ics-lsm" } ] } ], "database_specific": { "last_known_affected_version_range": "<= 0.47.15" } }, { "package": { "ecosystem": "Go", "name": "github.com/cosmos/cosmos-sdk" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0.50.0-alpha.0" }, { "fixed": "0.50.12" } ] } ], "database_specific": { "last_known_affected_version_range": "<= 0.50.11" } } ], "references": [ { "type": "WEB", "url": "https://github.com/cosmos/cosmos-sdk/security/advisories/GHSA-x5vx-95h7-rv4p" }, { "type": "WEB", "url": "https://github.com/cosmos/cosmos-sdk/commit/0a98b65b24900a0e608866c78f172cf8e4140aea" }, { "type": "PACKAGE", "url": "https://github.com/cosmos/cosmos-sdk" }, { "type": "WEB", "url": "https://github.com/cosmos/cosmos-sdk/releases/tag/v0.47.16" }, { "type": "WEB", "url": "https://github.com/cosmos/cosmos-sdk/releases/tag/v0.50.12" } ], "database_specific": { "cwe_ids": [ "CWE-369" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2025-02-20T20:18:25Z", "nvd_published_at": null } }