x/vulndb: potential Go vuln in github.com/cosmos/cosmos-sdk: GHSA-x5vx-95h7-rv4p

[GoVulnBot]

Advisory GHSA-x5vx-95h7-rv4p references a vulnerability in the following Go modules:

Module
github.com/cosmos/cosmos-sdk

Description:
Name: ASA-2025-003: Groups module can halt chain when handling a malicious proposal
Component: CosmosSDK
Criticality: High (Considerable Impact; Likely Likelihood per ACMv1.2)
Affected versions: <= v0.47.15, <= 0.50.11
Affected users: Validators, Full nodes, Users on chains that utilize the groups module

Description

An issue was discovered in the groups module where a malicious proposal would result in a division by zero, and subsequently halt a chain due to the resulting error. Any user that can int...

References:

• ADVISORY: GHSA-x5vx-95h7-rv4p
• ADVISORY: GHSA-x5vx-95h7-rv4p
• FIX: cosmos/cosmos-sdk@0a98b65
• WEB: https://github.com/cosmos/cosmos-sdk/releases/tag/v0.47.16
• WEB: https://github.com/cosmos/cosmos-sdk/releases/tag/v0.50.12

Cross references:

• github.com/cosmos/cosmos-sdk appears in 10 other report(s):
  • data/excluded/GO-2022-0255.yaml (x/vulndb: potential Go vuln in github.com/cosmos/cosmos-sdk: CVE-2021-41135 #255) NOT_IMPORTABLE
  • data/excluded/GO-2023-2047.yaml (x/vulndb: potential Go vuln in github.com/cosmos/cosmos-sdk: GHSA-23px-mw2p-46qm #2047) NOT_IMPORTABLE
  • data/reports/GO-2023-1821.yaml (x/vulndb: potential Go vuln in github.com/cosmos/cosmos-sdk: GHSA-qfc5-6r3j-jj22 #1821)
  • data/reports/GO-2023-1861.yaml (x/vulndb: potential Go vuln in github.com/cosmos/cosmos-sdk #1861)
  • data/reports/GO-2023-1881.yaml (x/vulndb: potential Go vuln in github.com/cosmos/cosmos-sdk: GHSA-w5w5-2882-47pc #1881)
  • data/reports/GO-2024-2571.yaml (x/vulndb: potential Go vuln in github.com/cosmos/cosmos-sdk: GHSA-2557-x9mg-76w8 #2571)
  • data/reports/GO-2024-2572.yaml (x/vulndb: potential Go vuln in github.com/cosmos/cosmos-sdk: GHSA-4j93-fm92-rp4m #2572)
  • data/reports/GO-2024-2584.yaml (x/vulndb: potential Go vuln in github.com/cosmos/cosmos-sdk: GHSA-86h5-xcpx-cfqc #2584)
  • data/reports/GO-2024-2638.yaml (x/vulndb: potential Go vuln in github.com/cosmos/cosmos-sdk: GHSA-95rx-m9m5-m94v #2638)
  • data/reports/GO-2024-3339.yaml (x/vulndb: potential Go vuln in github.com/cosmos/cosmos-sdk: GHSA-8wcc-m6j2-qxvm #3339)

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/cosmos/cosmos-sdk
      non_go_versions:
        - introduced: TODO (earliest fixed "0.50.12", vuln range ">= 0.50.0-alpha.0, <= 0.50.11")
        - introduced: TODO (earliest fixed "0.47.16-ics-lsm", vuln range "<= 0.47.15")
      vulnerable_at: 0.50.12
summary: 'Cosmos SDK: Groups module can halt chain when handling a malicious proposal in github.com/cosmos/cosmos-sdk'
ghsas:
    - GHSA-x5vx-95h7-rv4p
references:
    - advisory: https://github.com/advisories/GHSA-x5vx-95h7-rv4p
    - advisory: https://github.com/cosmos/cosmos-sdk/security/advisories/GHSA-x5vx-95h7-rv4p
    - fix: https://github.com/cosmos/cosmos-sdk/commit/0a98b65b24900a0e608866c78f172cf8e4140aea
    - web: https://github.com/cosmos/cosmos-sdk/releases/tag/v0.47.16
    - web: https://github.com/cosmos/cosmos-sdk/releases/tag/v0.50.12
notes:
    - fix: 'module merge error: could not merge versions of module github.com/cosmos/cosmos-sdk: invalid or non-canonical semver version (found TODO (earliest fixed "0.50.12", vuln range ">= 0.50.0-alpha.0, <= 0.50.11"))'
source:
    id: GHSA-x5vx-95h7-rv4p
    created: 2025-02-20T21:01:28.233734651Z
review_status: UNREVIEWED