GHSA-p22h-3m2v-cmgh
Cosmos SDK's Integer Overflow vulnerability in its Validator Rewards pool can cause a chain halt
Blast Radius
github.com/cosmos/cosmos-sdk🐹github.com/cosmos/cosmos-sdkReal-time download stats are indexed for npm and PyPI packages. This vulnerability affects Go packages — download data is not available via public APIs for these ecosystems.
Description
Description Name: ISA-2025-005: Integer Overflow in Cosmos SDK Component: CosmosSDK Criticality: High (Considerable Impact; Likely Likelihood per ACMv1.2) Affected versions: <= v0.50.13, <= 0.53.2 Affected users: Validators, Full nodes, Users on chains that utilize the distribution module Cosmos SDK chains in unpatched releases that use the x/distribution module are affected.
Description An issue was discovered in the distribution module where a malicious deposit into the Validator Rewards pool would result in an integer overflow that would cause a chain halt. A malicious validator can interact with the distribution module to introduce this state.
Patches Has the problem been patched? What versions should users upgrade to?
The new Cosmos SDK release v0.50.14 and v0.53.3 fix this issue.
There are no known workarounds for this issue. It is advised that chains apply the update.
This issue was reported to the Cosmos Bug Bounty Program by myte1111111 on HackerOne on April 15, 2025. If you believe you have found a bug in the Interchain Stack or would like to contribute to the program by reporting a bug, please see https://hackerone.com/cosmos.
If you have questions about Interchain security efforts, please reach out to our official communication channel at [email protected]. For more information about the Interchain Foundation’s engagement with Amulet, and to sign up for security notification emails, please see https://github.com/interchainio/security.
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 🐹Go | github.com/cosmos/cosmos-sdk | all versions | 0.50.14 |
| 🐹Go | github.com/cosmos/cosmos-sdk | ≥ 0.52.0-alpha.1&&< 0.53.3 | 0.53.3 |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for github.com/cosmos/cosmos-sdk. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update github.com/cosmos/cosmos-sdk to 0.50.14 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-p22h-3m2v-cmgh is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-p22h-3m2v-cmgh is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-p22h-3m2v-cmgh. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-p22h-3m2v-cmgh in your dependencies?
O3 detects GHSA-p22h-3m2v-cmgh across Go dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.