Your RSA-2048 keys break in 2030. Find every one of them before attackers do.
🐹 Go

GHSA-4wf3-5qj9-368v

IBC-Go: Non-deterministic JSON Unmarshalling of IBC Acknowledgement can result in a chain halt

Also known asGO-2025-3517
Published
Mar 12, 2025
Updated
Mar 18, 2025
Affected
8 pkgs
Patched
8 / 8
Exploits
None indexed

Blast Radius

8 pkgs affected
🐹github.com/cosmos/ibc-go🐹github.com/cosmos/ibc-go/v8🐹github.com/cosmos/ibc-go/v2🐹github.com/cosmos/ibc-go/v3🐹github.com/cosmos/ibc-go/v4🐹github.com/cosmos/ibc-go/v5🐹github.com/cosmos/ibc-go/v6🐹github.com/cosmos/ibc-go/v7

Real-time download stats are indexed for npm and PyPI packages. This vulnerability affects Go packages — download data is not available via public APIs for these ecosystems.

Description

Name: ISA-2025-001: Non-deterministic JSON Unmarshalling of IBC Acknowledgement can result in a chain halt Component: IBC-Go Criticality: High (Considerable Impact; Likely Likelihood per ACMv1.2) Affected versions: IBC-Go >= v7; Earlier IBC-Go versions MAY also be affected. Affected users: Validators, Full nodes, IBC Middleware authors

Description

An issue was discovered in IBC-Go's deserialization of acknowledgements that results in non-deterministic behavior which can halt a chain. Any user that can open an IBC channel can introduce this state to the chain. The following patch is in addition to the previous patch which now extends the same protection to all applications beyond transfer.

Patches

The new IBC-Go releases below address this issue:

Workarounds

To prevent this state from being introduced to a chain, it is possible to permission Channel Opening as a workaround.

Notes on Re-Release

This is an extension of the previous patch, please update to the latest patch to get full coverage against the reported issue.

Is this state breaking?

This patch is not state breaking unless an exploit is submitted before the patch is applied across the network in which case the chain will halt just as if it was unpatched. Thus, you can safely apply this patch in a rolling manner and encourage validators to patch as soon as possible in order to prevent any chain halts (and we've already cut new versions of these for you).

Testing we have done to gain more confidence in this release

  • In addition to testing ibc-go, we also did the following:
  • Tested PFM v7 and v8 after bumping dependencies
  • Tested ibc-hooks v7 and v8 after bumping dependencies
  • Ran a patched node on Cosmos Hub Mainnet and triggered failing and successful transactions that used PFM
  • Ran a patched node on Osmosis mainnet and triggered failing and successful transactions that used ibc-hooks This is a more thorough process than before, so we have higher confidence.

This issue was reported to the Cosmos Bug Bounty Program by swelf19 on HackerOne on February 18, 2025. If you believe you have found a bug in the Interchain Stack or would like to contribute to the program by reporting a bug, please see https://hackerone.com/cosmos.

If you have questions about Interchain security efforts, please reach out to our official communication channel at [email protected]. For more information about the Interchain Foundation’s engagement with Amulet, and to sign up for security notification emails, please see https://github.com/interchainio/security.

A Github Security Advisory for this issue is available in the IBC-Go repository.

Affected Packages

8 total 8 fixed
EcosystemPackageVulnerable rangeFix
🐹Gogithub.com/cosmos/ibc-goall versions7.10.0
🐹Gogithub.com/cosmos/ibc-go/v88.0.0-alpha.1&&< 8.7.08.7.0
🐹Gogithub.com/cosmos/ibc-go/v2all versions7.10.0
🐹Gogithub.com/cosmos/ibc-go/v3all versions7.10.0
🐹Gogithub.com/cosmos/ibc-go/v4all versions7.10.0
🐹Gogithub.com/cosmos/ibc-go/v5all versions7.10.0

Detection & mitigation playbook

Open-source dependency

  1. Detect

    Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for github.com/cosmos/ibc-go. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.

  2. Fix

    Update github.com/cosmos/ibc-go to 7.10.0 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-4wf3-5qj9-368v is resolved across your whole dependency graph.

  3. Workarounds

    If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.

  4. How O3 protects you

    O3 pinpoints whether GHSA-4wf3-5qj9-368v is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Tailored to GHSA-4wf3-5qj9-368v. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.

Frequently Asked Questions

Name: ISA-2025-001: Non-deterministic JSON Unmarshalling of IBC Acknowledgement can result in a chain halt Component: IBC-Go Criticality: High (Considerable Impact; Likely Likelihood per [ACMv1.2](https://github.com/interchainio/security/blob/main/resources/CLASSIFICATION_MATRIX.md)) Affected versions: IBC-Go >= v7; Earlier IBC-Go versions MAY also be affected. Affected users: Validators, Full nodes, IBC Middleware authors ### Description An issue was discovered in IBC-Go's deserialization of acknowledgements that results in non-deterministic behavior which can halt a chain. Any user that ca
O3 Security · Impact-Aware SCA

Is GHSA-4wf3-5qj9-368v in your dependencies?

O3 detects GHSA-4wf3-5qj9-368v across Go dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.

Scan my dependencies How O3 SCA works