GHSA-x5vx-95h7-rv4p
Cosmos SDK: Groups module can halt chain when handling a malicious proposal
Blast Radius
github.com/cosmos/cosmos-sdk🐹github.com/cosmos/cosmos-sdkReal-time download stats are indexed for npm and PyPI packages. This vulnerability affects Go packages — download data is not available via public APIs for these ecosystems.
Description
Name: ASA-2025-003: Groups module can halt chain when handling a malicious proposal Component: CosmosSDK Criticality: High (Considerable Impact; Likely Likelihood per ACMv1.2) Affected versions: <= v0.47.15, <= 0.50.11 Affected users: Validators, Full nodes, Users on chains that utilize the groups module
Description
An issue was discovered in the groups module where a malicious proposal would result in a division by zero, and subsequently halt a chain due to the resulting error. Any user that can interact with the groups module can introduce this state.
Patches
The new Cosmos SDK release v0.50.12 and v0.47.16 fix this issue.
Workarounds
There are no known workarounds for this issue. It is advised that chains apply the update.
Timeline
- February 9, 2025, 5:18pm PST: Issue reported to the Cosmos Bug Bounty program
- February 9, 2025, 8:12am PST: Issue triaged by Amulet on-call, and distributed to Core team
- February 9, 2025, 12:25pm PST: Core team completes validation of issue
- February 18, 2025, 8:00am PST / 17:00 CET: Pre-notification delivered
- February 20, 2025, 8:00am PST / 17:00 CET: Patch made available
This issue was reported to the Cosmos Bug Bounty Program by dongsam on HackerOne on February 9, 2025. If you believe you have found a bug in the Interchain Stack or would like to contribute to the program by reporting a bug, please see https://hackerone.com/cosmos.
If you have questions about Interchain security efforts, please reach out to our official communication channel at [email protected]. For more information about the Interchain Foundation’s engagement with Amulet, and to sign up for security notification emails, please see https://github.com/interchainio/security.
A Github Security Advisory for this issue is available in the Cosmos SDK repository.
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 🐹Go | github.com/cosmos/cosmos-sdk | all versions | 0.47.16-ics-lsm |
| 🐹Go | github.com/cosmos/cosmos-sdk | ≥ 0.50.0-alpha.0&&< 0.50.12 | 0.50.12 |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for github.com/cosmos/cosmos-sdk. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update github.com/cosmos/cosmos-sdk to 0.47.16-ics-lsm or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-x5vx-95h7-rv4p is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-x5vx-95h7-rv4p is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-x5vx-95h7-rv4p. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-x5vx-95h7-rv4p in your dependencies?
O3 detects GHSA-x5vx-95h7-rv4p across Go dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.