How severe is GHSA-mx2j-7cmv-353c?

No CVSS score has been assigned to GHSA-mx2j-7cmv-353c yet. Review the advisory details and affected package list to assess your exposure.

Which packages are affected by GHSA-mx2j-7cmv-353c?

GHSA-mx2j-7cmv-353c affects the following packages: cosmwasm-vm (crates.io), cosmwasm-vm (crates.io), cosmwasm-vm (crates.io), cosmwasm-vm (crates.io), github.com/CosmWasm/wasmvm (Go), github.com/CosmWasm/wasmvm/v2 (Go), github.com/CosmWasm/wasmvm/v2 (Go), github.com/CosmWasm/wasmvm/v2 (Go), and 4 more. Ecosystems affected: crates.io, Go.

How do I fix GHSA-mx2j-7cmv-353c?

Update cosmwasm-vm to 2.2.1 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-mx2j-7cmv-353c is resolved across your whole dependency graph.

How do I detect GHSA-mx2j-7cmv-353c in my crates.io, Go dependencies?

Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for cosmwasm-vm. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.

How do I mitigate GHSA-mx2j-7cmv-353c if there is no patch (or I can't update yet)?

If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.

How does O3 Security protect against GHSA-mx2j-7cmv-353c?

O3 pinpoints whether GHSA-mx2j-7cmv-353c is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Is GHSA-mx2j-7cmv-353c actively exploited in the wild?

No public exploit code has been indexed for GHSA-mx2j-7cmv-353c yet. This does not mean the vulnerability cannot be exploited — absence of public exploits does not imply safety. Apply the recommended fix and use O3 Security to monitor your exposure.

When was GHSA-mx2j-7cmv-353c published, and has it been updated?

GHSA-mx2j-7cmv-353c was published on February 4, 2025 and was last updated on July 9, 2025. Advisory data evolves as severity scores, affected ranges, and exploit intelligence are revised — always check the latest version of the advisory before acting.

GHSA-mx2j-7cmv-353c: cosmwasm-vm

Blast Radius

12 pkgs affected

🦀cosmwasm-vm🦀cosmwasm-vm🦀cosmwasm-vm🦀cosmwasm-vm🐹github.com/CosmWasm/wasmvm🐹github.com/CosmWasm/wasmvm/v2🐹github.com/CosmWasm/wasmvm/v2🐹github.com/CosmWasm/wasmvm/v2+4 more

Real-time download stats are indexed for npm and PyPI packages. This vulnerability affects crates.io packages — download data is not available via public APIs for these ecosystems.

Description

CWA-2025-002

Severity

Medium (Moderate + Likely)¹

Affected versions:

wasmvm >= 2.2.0, < 2.2.2
wasmvm >= 2.1.0, < 2.1.5
wasmvm >= 2.0.0, < 2.0.6
wasmvm < 1.5.8

Patched versions:

wasmvm 1.5.8, 2.0.6, 2.1.5, 2.2.2

Description of the bug

The vulnerability can be used to slow down block production. The attack requires a malicious contract, so permissioned chains are unlikely to be affected.

(We'll add more detail once chains had a chance to upgrade.)

Patch

Applying the patch

The patch will be shipped in releases of wasmvm. You can update more or less as follows:

Check the current wasmvm version: go list -m github.com/CosmWasm/wasmvm
Bump the github.com/CosmWasm/wasmvm dependency in your go.mod to one of the patched version depending on which minor version you are on; go mod tidy; commit.
If you use the static libraries libwasmvm_muslc.aarch64.a/libwasmvm_muslc.x86_64.a, update them accordingly.
Check the updated wasmvm version: go list -m github.com/CosmWasm/wasmvm and ensure you see 1.5.8, 2.0.6, 2.1.5 or 2.2.2.
Follow your regular practices to deploy chain upgrades.

The patch is consensus breaking and requires a coordinated upgrade.

Acknowledgement

This issue was found by meadow101 who reported it to the Cosmos Bug Bounty Program on HackerOne.

If you believe you have found a bug in the Interchain Stack or would like to contribute to the program by reporting a bug, please see https://hackerone.com/cosmos.

Timeline

2024-11-24: Confio receives a report through the Cosmos bug bounty program maintained by Amulet.
2024-12-20: Confio security contributors confirm the report.
2024-01-27: Confio developed the patch internally.
2025-02-04: Patch gets released.

Footnotes

following Amulet's Severity Classification Framework ACMv1.2: https://github.com/interchainio/security/blob/0295254e8645301ccb606d46108a45cede0a73e0/resources/CLASSIFICATION_MATRIX.md ↩

Affected Packages

12 total 12 fixed

Ecosystem	Package	Vulnerable range	Fix
🦀crates.io	`cosmwasm-vm`	≥ 2.2.0&&< 2.2.1	2.2.1
🦀crates.io	`cosmwasm-vm`	≥ 2.1.0&&< 2.1.6	2.1.6
🦀crates.io	`cosmwasm-vm`	≥ 2.0.0&&< 2.0.9	2.0.9
🦀crates.io	`cosmwasm-vm`	all versions	1.5.10
🐹Go	`github.com/CosmWasm/wasmvm`	≥ 0.1.0&&< 1.5.8	1.5.8
🐹Go	`github.com/CosmWasm/wasmvm/v2`	≥ 2.2.0&&< 2.2.2	2.2.2

Detection & mitigation playbook

Open-source dependency

Detect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for cosmwasm-vm. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update cosmwasm-vm to 2.2.1 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-mx2j-7cmv-353c is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-mx2j-7cmv-353c is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Tailored to GHSA-mx2j-7cmv-353c. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.

Frequently Asked Questions

# CWA-2025-002 **Severity** Medium (Moderate + Likely)[^1] **Affected versions:** - wasmvm >= 2.2.0, < 2.2.2 - wasmvm >= 2.1.0, < 2.1.5 - wasmvm >= 2.0.0, < 2.0.6 - wasmvm < 1.5.8 **Patched versions:** - wasmvm 1.5.8, 2.0.6, 2.1.5, 2.2.2 ## Description of the bug The vulnerability can be used to slow down block production. The attack requires a malicious contract, so permissioned chains are unlikely to be affected. (We'll add more detail once chains had a chance to upgrade.) ## Patch - 1.5: https://github.com/CosmWasm/cosmwasm/commit/2b7f2faa57a1efc8207455c37f87f1eee6035a27 - 2.0: h

O3 Security · Impact-Aware SCA

Is GHSA-mx2j-7cmv-353c in your dependencies?

O3 detects GHSA-mx2j-7cmv-353c across crates.io, Go dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.

Scan my dependencies How O3 SCA works

GHSA-mx2j-7cmv-353c