N/A

CVSS Score

-

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-mx2j-7cmv-353c

EPSS Score

CWE

Published

2/4/2025

Updated

2/6/2025

KEV Status

Technology

Rust

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-mx2j-7cmv-353c

GHSA-mx2j-7cmv-353c: wasmvm: Malicious smart contract can slow down block production

CWA-2025-002

Severity

Medium (Moderate + Likely)[^1]

Affected versions:

wasmvm >= 2.2.0, < 2.2.2
wasmvm >= 2.1.0, < 2.1.5
wasmvm >= 2.0.0, < 2.0.6
wasmvm < 1.5.8

Patched versions:

wasmvm 1.5.8, 2.0.6, 2.1.5, 2.2.2

Description of the bug

The vulnerability can be used to slow down block production. The attack requires a malicious contract, so permissioned chains are unlikely to be affected.

(We'll add more detail once chains had a chance to upgrade.)

Patch

1.5: https://github.com/CosmWasm/cosmwasm/commit/2b7f2faa57a1efc8207455c37f87f1eee6035a27
2.0: https://github.com/CosmWasm/cosmwasm/commit/d6143b0aff16a39bbea4be37597d8e9d9b213d3b
2.1: https://github.com/CosmWasm/cosmwasm/commit/f0c04c03cbe2557634c1bbcdc2ce203fe7caca58
2.2: https://github.com/CosmWasm/cosmwasm/commit/a5d62f65b5eb947ebe40e2085b1c48a9d0a244d0

Applying the patch

The patch will be shipped in releases of wasmvm. You can update more or less as follows:

Check the current wasmvm version: go list -m github.com/CosmWasm/wasmvm
Bump the github.com/CosmWasm/wasmvm dependency in your go.mod to one of the patched version depending on which minor version you are on; go mod tidy; commit.
If you use the static libraries libwasmvm_muslc.aarch64.a/libwasmvm_muslc.x86_64.a, update them accordingly.
Check the updated wasmvm version: go list -m github.com/CosmWasm/wasmvm and ensure you see 1.5.8, 2.0.6, 2.1.5 or 2.2.2.
Follow your regular practices to deploy chain upgrades.

The patch is consensus breaking and requires a coordinated upgrade.

Acknowledgement

This issue was found by meadow101 who reported it to the Cosmos Bug Bounty Program on HackerOne.

If you believe you have found a bug in the Interchain Stack or would like to contribute to the program by reporting a bug, please see https://hackerone.com/cosmos.

Timeline

2024-11-24: Confio receives a report through the Cosmos bug bounty program maintained by Amulet.
2024-12-20: Confio security contributors confirm the report.
2024-01-27: Confio developed the patch internally.
2025-02-04: Patch gets released.

[^1]: following Amulet's Severity Classification Framework ACMv1.2: https://github.com/interchainio/security/blob/0295254e8645301ccb606d46108a45cede0a73e0/resources/CLASSIFICATION_MATRIX.md

(GitHub Advisory)

Miggo Vulnerability Database

→

GHSA-mx2j-7cmv-353c

GHSA-mx2j-7cmv-353c:

N/A

CVSS Score

-

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-mx2j-7cmv-353c

EPSS Score

CWE

Published

2/4/2025

Updated

2/6/2025

KEV Status

Technology

Rust

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
cosmwasm-vm	rust	= 2.2.0	2.2.1
cosmwasm-vm	rust	>= 2.1.0, < 2.1.6	2.1.6
cosmwasm-vm	rust	>= 2.0.0, < 2.0.9	2.0.9
cosmwasm-vm	rust	< 1.5.10	1.5.10
github.com/CosmWasm/wasmvm	go	< 1.5.8	1.5.8
github.com/CosmWasm/wasmvm/v2	go	>= 2.2.0, < 2.2.2	2.2.2
github.com/CosmWasm/wasmvm/v2	go	>= 2.1.0, < 2.1.5	2.1.5
github.com/CosmWasm/wasmvm/v2	go	>= 2.0.0, < 2.0.6	2.0.6

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from insufficient gas metering for memory operations and host calls. Commit diffs show added gas cost fields (read_region_*, string_from_bytes_cost, host_call_cost) and modified LinearGasCost with overflow checks. These changes indicate previous versions lacked proper gas accounting for these operations, enabling resource exhaustion attacks through malicious contracts performing un-metered expensive computations.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

N/A

-

Basic Information

Basic Information

Concerned about an active attack path?

GHSA-mx2j-7cmv-353c: wasmvm: Malicious smart contract can slow down block production

CWA-2025-002

Description of the bug

Patch

Applying the patch

Acknowledgement

Timeline

GHSA-mx2j-7cmv-353c:

N/A

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

N/A

N/A

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

GHSA-mx2j-7cmv-353c: wasmvm: Malicious smart contract can slow down block production

CWA-2025-002

Description of the bug

Patch

Applying the patch

Acknowledgement

Timeline

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI