N/A

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-mx2j-7cmv-353c

EPSS Score

CWE

Published

2/4/2025

Updated

2/6/2025

KEV Status

Technology

Rust

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-mx2j-7cmv-353c

GHSA-mx2j-7cmv-353c: wasmvm: Malicious smart contract can slow down block production

CWA-2025-002

Severity

Medium (Moderate + Likely)[^1]

Affected versions:

wasmvm >= 2.2.0, < 2.2.2
wasmvm >= 2.1.0, < 2.1.5
wasmvm >= 2.0.0, < 2.0.6
wasmvm < 1.5.8

Patched versions:

wasmvm 1.5.8, 2.0.6, 2.1.5, 2.2.2

Description of the bug

The vulnerability can be used to slow down block production. The attack requires a malicious contract, so permissioned chains are unlikely to be affected.

(We'll add more detail once chains had a chance to upgrade.)

Patch

1.5: https://github.com/CosmWasm/cosmwasm/commit/2b7f2faa57a1efc8207455c37f87f1eee6035a27
2.0: https://github.com/CosmWasm/cosmwasm/commit/d6143b0aff16a39bbea4be37597d8e9d9b213d3b
2.1: https://github.com/CosmWasm/cosmwasm/commit/f0c04c03cbe2557634c1bbcdc2ce203fe7caca58
2.2: https://github.com/CosmWasm/cosmwasm/commit/a5d62f65b5eb947ebe40e2085b1c48a9d0a244d0

Applying the patch

The patch will be shipped in releases of wasmvm. You can update more or less as follows:

Check the current wasmvm version: go list -m github.com/CosmWasm/wasmvm
Bump the github.com/CosmWasm/wasmvm dependency in your go.mod to one of the patched version depending on which minor version you are on; go mod tidy; commit.
If you use the static libraries libwasmvm_muslc.aarch64.a/libwasmvm_muslc.x86_64.a, update them accordingly.
Check the updated wasmvm version: go list -m github.com/CosmWasm/wasmvm and ensure you see 1.5.8, 2.0.6, 2.1.5 or 2.2.2.
Follow your regular practices to deploy chain upgrades.

The patch is consensus breaking and requires a coordinated upgrade.

Acknowledgement

This issue was found by meadow101 who reported it to the Cosmos Bug Bounty Program on HackerOne.

If you believe you have found a bug in the Interchain Stack or would like to contribute to the program by reporting a bug, please see https://hackerone.com/cosmos.

Timeline

2024-11-24: Confio receives a report through the Cosmos bug bounty program maintained by Amulet.
2024-12-20: Confio security contributors confirm the report.
2024-01-27: Confio developed the patch internally.
2025-02-04: Patch gets released.

[^1]: following Amulet's Severity Classification Framework ACMv1.2: https://github.com/interchainio/security/blob/0295254e8645301ccb606d46108a45cede0a73e0/resources/CLASSIFICATION_MATRIX.md

(GitHub Advisory)

N/A

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-mx2j-7cmv-353c

EPSS Score

CWE

Published

2/4/2025

Updated

2/6/2025

KEV Status

Technology

Rust

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
cosmwasm-vm	rust	= 2.2.0	2.2.1
cosmwasm-vm	rust	>= 2.1.0, < 2.1.6	2.1.6
cosmwasm-vm	rust	>= 2.0.0, < 2.0.9	2.0.9
cosmwasm-vm	rust	< 1.5.10	1.5.10
github.com/CosmWasm/wasmvm	go	< 1.5.8	1.5.8
github.com/CosmWasm/wasmvm/v2	go	>= 2.2.0, < 2.2.2	2.2.2
github.com/CosmWasm/wasmvm/v2	go	>= 2.1.0, < 2.1.5	2.1.5
github.com/CosmWasm/wasmvm/v2	go	>= 2.0.0, < 2.0.6	2.0.6

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from insufficient gas metering for memory operations and host calls. Commit diffs show added gas cost fields (read_region_*, string_from_bytes_cost, host_call_cost) and modified LinearGasCost with overflow checks. These changes indicate previous versions lacked proper gas accounting for these operations, enabling resource exhaustion attacks through malicious contracts performing un-metered expensive computations.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

# *W*-****-*** **S*v*rity** M**ium (Mo**r*t* + Lik*ly)[^*] *******t** v*rsions:** - w*smvm >= *.*.*, < *.*.* - w*smvm >= *.*.*, < *.*.* - w*smvm >= *.*.*, < *.*.* - w*smvm < *.*.* **P*t**** v*rsions:** - w*smvm *.*.*, *.*.*, *.*.*, *.*.* ## **

Reasoning

T** vuln*r**ility st*mm** *rom insu**i*i*nt **s m*t*rin* *or m*mory op*r*tions *n* *ost **lls. *ommit *i**s s*ow ***** **s *ost *i*l*s (r***_r**ion_*, strin*_*rom_*yt*s_*ost, *ost_**ll_*ost) *n* mo*i*i** Lin**r**s*ost wit* ov*r*low ****ks. T**s* ***n

N/A

Basic Information

Concerned about an active attack path?

GHSA-mx2j-7cmv-353c: wasmvm: Malicious smart contract can slow down block production

CWA-2025-002

Description of the bug

Patch

Applying the patch

Acknowledgement

Timeline

N/A

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI