GHSA-qwvm-wqq8-8j69

Source

https://github.com/advisories/GHSA-qwvm-wqq8-8j69

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/09/GHSA-qwvm-wqq8-8j69/GHSA-qwvm-wqq8-8j69.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-qwvm-wqq8-8j69

Aliases

Published

2025-09-30T21:06:02Z

Modified

2025-10-23T20:34:29Z

Severity

8.8 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N CVSS Calculator

Summary

github.com/MANTRA-Chain/mantrachain/x/tokenfactory tx gas limit is not enforced in send hooks

Details

Impact

send hooks can spend more gas than what's remained in tx, combined with recursive calls in the wasm contract, can amplify the gas consumption exponentially.

Patches

It's patched in v4.0.2 and v5.0.0

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

Database specific

{
    "cwe_ids": [
        "CWE-400",
        "CWE-770"
    ],
    "github_reviewed": true,
    "nvd_published_at": "2025-10-02T20:15:35Z",
    "severity": "HIGH",
    "github_reviewed_at": "2025-09-30T21:06:02Z"
}

References

Affected packages

Go

github.com/MANTRA-Chain/mantrachain/v4

Package

Name: github.com/MANTRA-Chain/mantrachain/v4; View open source insights on deps.dev
Purl: pkg:golang/github.com/MANTRA-Chain/mantrachain/v4

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.0.2

github.com/MANTRA-Chain/mantrachain/v3

Package

Name: github.com/MANTRA-Chain/mantrachain/v3; View open source insights on deps.dev
Purl: pkg:golang/github.com/MANTRA-Chain/mantrachain/v3

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Database specific

last_known_affected_version_range

"< 4.0.2"

github.com/MANTRA-Chain/mantrachain/v2

Package

Name: github.com/MANTRA-Chain/mantrachain/v2; View open source insights on deps.dev
Purl: pkg:golang/github.com/MANTRA-Chain/mantrachain/v2

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Database specific

last_known_affected_version_range

"< 4.0.2"

github.com/MANTRA-Chain/mantrachain

Package

Name: github.com/MANTRA-Chain/mantrachain; View open source insights on deps.dev
Purl: pkg:golang/github.com/MANTRA-Chain/mantrachain

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Database specific

last_known_affected_version_range

"< 4.0.2"