{ "schema_version": "1.4.0", "id": "GHSA-47ww-ff84-4jrg", "modified": "2025-08-20T17:39:56Z", "published": "2025-03-12T19:28:42Z", "aliases": [], "summary": "Cosmos SDK: x/group can halt when erroring in EndBlocker", "details": "Name: ISA-2025-002: x/group can halt when erroring in EndBlocker\nComponent: CosmosSDK\nCriticality: High (Considerable Impact; Likely Likelihood per [ACMv1.2](https://github.com/interchainio/security/blob/main/resources/CLASSIFICATION_MATRIX.md))\nAffected versions: <= v0.47.16, <= 0.50.12\nAffected users: Validators, Full nodes, Users on chains that utilize the groups module\nCosmos SDK chains in unpatched releases that use the `x/group` module are affected.\n\n### Description\n\nAn issue was discovered in the groups module where malicious proposals would result in an errors triggered in the module's end blocker that could result in a chain halt. Any set of users that can interact with the groups module could introduce this state.\n\n### Patches\n_Has the problem been patched? What versions should users upgrade to?_\n\nThe new Cosmos SDK release [v0.50.13](https://github.com/cosmos/cosmos-sdk/releases/tag/v0.50.13) and [v0.47.17](https://github.com/cosmos/cosmos-sdk/releases/tag/v0.47.17) fix this issue.\n\n### Testing\n\nTesting we have done to gain more confidence in this release:\n\nIn addition to testing Cosmos SDK we also did the following:\n\n- Ran a patched node in a local `v0.50` testnet with the failing state and did not halt (an unpatched network confirmed to halt)\n- Ran a patched node on Xion Mainnet (uses `x/group`)\n- Ran a patched node on Zetachain Mainnet (uses `x/xgroup`)\n \n### Workarounds\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\n\nThere are no known workarounds for this issue. It is advised that chains apply the update.\n\nThis issue was reported to the Cosmos Bug Bounty Program by [wbowling](https://github.com/wbowling) on HackerOne on February 28, 2025. If you believe you have found a bug in the Interchain Stack or would like to contribute to the program by reporting a bug, please see https://hackerone.com/cosmos.\n\nIf you have questions about Interchain security efforts, please reach out to our official communication channel at [security@interchain.io](mailto:security@interchain.io). For more information about the Interchain Foundation’s engagement with Amulet, and to sign up for security notification emails, please see https://github.com/interchainio/security.", "severity": [ { "type": "CVSS_V4", "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" } ], "affected": [ { "package": { "ecosystem": "Go", "name": "github.com/cosmos/cosmos-sdk" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0.50.0-alpha.0" }, { "fixed": "0.50.13" } ] } ], "database_specific": { "last_known_affected_version_range": "<= 0.50.12" } }, { "package": { "ecosystem": "Go", "name": "github.com/cosmos/cosmos-sdk" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "0.47.17" } ] } ], "database_specific": { "last_known_affected_version_range": "<= 0.47.16" } } ], "references": [ { "type": "WEB", "url": "https://github.com/cosmos/cosmos-sdk/security/advisories/GHSA-47ww-ff84-4jrg" }, { "type": "WEB", "url": "https://github.com/cosmos/cosmos-sdk/commit/cbd69fb1f4fac418c1f8c6253f5f91fb1263776a" }, { "type": "PACKAGE", "url": "https://github.com/cosmos/cosmos-sdk" } ], "database_specific": { "cwe_ids": [ "CWE-755" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2025-03-12T19:28:42Z", "nvd_published_at": null } }