GHSA-47ww-ff84-4jrg
Cosmos SDK: x/group can halt when erroring in EndBlocker
Blast Radius
github.com/cosmos/cosmos-sdk🐹github.com/cosmos/cosmos-sdkReal-time download stats are indexed for npm and PyPI packages. This vulnerability affects Go packages — download data is not available via public APIs for these ecosystems.
Description
Name: ISA-2025-002: x/group can halt when erroring in EndBlocker
Component: CosmosSDK
Criticality: High (Considerable Impact; Likely Likelihood per ACMv1.2)
Affected versions: <= v0.47.16, <= 0.50.12
Affected users: Validators, Full nodes, Users on chains that utilize the groups module
Cosmos SDK chains in unpatched releases that use the x/group module are affected.
Description
An issue was discovered in the groups module where malicious proposals would result in an errors triggered in the module's end blocker that could result in a chain halt. Any set of users that can interact with the groups module could introduce this state.
Patches
Has the problem been patched? What versions should users upgrade to?
The new Cosmos SDK release v0.50.13 and v0.47.17 fix this issue.
Testing
Testing we have done to gain more confidence in this release:
In addition to testing Cosmos SDK we also did the following:
- Ran a patched node in a local
v0.50testnet with the failing state and did not halt (an unpatched network confirmed to halt) - Ran a patched node on Xion Mainnet (uses
x/group) - Ran a patched node on Zetachain Mainnet (uses
x/xgroup)
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
There are no known workarounds for this issue. It is advised that chains apply the update.
This issue was reported to the Cosmos Bug Bounty Program by wbowling on HackerOne on February 28, 2025. If you believe you have found a bug in the Interchain Stack or would like to contribute to the program by reporting a bug, please see https://hackerone.com/cosmos.
If you have questions about Interchain security efforts, please reach out to our official communication channel at [email protected]. For more information about the Interchain Foundation’s engagement with Amulet, and to sign up for security notification emails, please see https://github.com/interchainio/security.
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 🐹Go | github.com/cosmos/cosmos-sdk | ≥ 0.50.0-alpha.0&&< 0.50.13 | 0.50.13 |
| 🐹Go | github.com/cosmos/cosmos-sdk | all versions | 0.47.17 |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for github.com/cosmos/cosmos-sdk. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update github.com/cosmos/cosmos-sdk to 0.50.13 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-47ww-ff84-4jrg is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-47ww-ff84-4jrg is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-47ww-ff84-4jrg. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-47ww-ff84-4jrg in your dependencies?
O3 detects GHSA-47ww-ff84-4jrg across Go dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.