Severity
Medium (Moderate + Likely)[^1]
Affected versions:
Patched versions:
(Blank for now. We'll add more detail once chains had a chance to upgrade.)
The patch will be shipped in releases of wasmvm. You can update more or less as follows:
go list -m github.com/CosmWasm/wasmvm
github.com/CosmWasm/wasmvm
dependency in your go.mod to 1.5.5, 2.0.4, 2.1.3 depending on which minor version you are; go mod tidy
; commit.libwasmvm_muslc.aarch64.a
/libwasmvm_muslc.x86_64.a
, update them accordingly.go list -m github.com/CosmWasm/wasmvm
and ensure you see 1.5.5, 2.0.4, 2.1.3.To double check if the correct library version is loaded at runtime, use this query:
<appd> query wasm libwasmvm-version
. It must show 1.5.5, 2.0.4 or 2.1.3.
The patch is consensus breaking and requires a coordinated upgrade.
This issue was found by meadow101 who reported it to the Cosmos Bug Bounty Program on HackerOne.
If you believe you have found a bug in the Interchain Stack or would like to contribute to the program by reporting a bug, please see https://hackerone.com/cosmos.
{ "nvd_published_at": null, "cwe_ids": [], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2024-12-10T16:55:37Z" }