{"id":"GHSA-47ww-ff84-4jrg","summary":"Cosmos SDK: x/group can halt when erroring in EndBlocker","details":"Name: ISA-2025-002: x/group can halt when erroring in EndBlocker\nComponent: CosmosSDK\nCriticality: High (Considerable Impact; Likely Likelihood per [ACMv1.2](https://github.com/interchainio/security/blob/main/resources/CLASSIFICATION_MATRIX.md))\nAffected versions: \u003c= v0.47.16, \u003c= 0.50.12\nAffected users: Validators, Full nodes, Users on chains that utilize the groups module\nCosmos SDK chains in unpatched releases that use the `x/group` module are affected.\n\n### Description\n\nAn issue was discovered in the groups module where malicious proposals would result in an errors triggered in the module's end blocker that could result in a chain halt.  Any set of users that can interact with the groups module could introduce this state.\n\n### Patches\n_Has the problem been patched? What versions should users upgrade to?_\n\nThe new Cosmos SDK release [v0.50.13](https://github.com/cosmos/cosmos-sdk/releases/tag/v0.50.13) and [v0.47.17](https://github.com/cosmos/cosmos-sdk/releases/tag/v0.47.17) fix this issue.\n\n### Testing\n\nTesting we have done to gain more confidence in this release:\n\nIn addition to testing Cosmos SDK we also did the following:\n\n- Ran a patched node in a local `v0.50` testnet with the failing state and did not halt (an unpatched network confirmed to halt)\n- Ran a patched node on Xion Mainnet (uses `x/group`)\n- Ran a patched node on Zetachain Mainnet (uses `x/xgroup`)\n    \n### Workarounds\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\n\nThere are no known workarounds for this issue. It is advised that chains apply the update.\n\nThis issue was reported to the Cosmos Bug Bounty Program by [wbowling](https://github.com/wbowling) on HackerOne on February 28, 2025. If you believe you have found a bug in the Interchain Stack or would like to contribute to the program by reporting a bug, please see https://hackerone.com/cosmos.\n\nIf you have questions about Interchain security efforts, please reach out to our official communication channel at [security@interchain.io](mailto:security@interchain.io). For more information about the Interchain Foundation’s engagement with Amulet, and to sign up for security notification emails, please see https://github.com/interchainio/security.","aliases":["GO-2025-3516"],"modified":"2025-08-20T17:39:56Z","published":"2025-03-12T19:28:42Z","database_specific":{"github_reviewed":true,"severity":"HIGH","nvd_published_at":null,"github_reviewed_at":"2025-03-12T19:28:42Z","cwe_ids":["CWE-755"]},"references":[{"type":"WEB","url":"https://github.com/cosmos/cosmos-sdk/security/advisories/GHSA-47ww-ff84-4jrg"},{"type":"WEB","url":"https://github.com/cosmos/cosmos-sdk/commit/cbd69fb1f4fac418c1f8c6253f5f91fb1263776a"},{"type":"PACKAGE","url":"https://github.com/cosmos/cosmos-sdk"}],"affected":[{"package":{"name":"github.com/cosmos/cosmos-sdk","ecosystem":"Go","purl":"pkg:golang/github.com/cosmos/cosmos-sdk"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.50.0-alpha.0"},{"fixed":"0.50.13"}]}],"database_specific":{"last_known_affected_version_range":"\u003c= 0.50.12","source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-47ww-ff84-4jrg/GHSA-47ww-ff84-4jrg.json"}},{"package":{"name":"github.com/cosmos/cosmos-sdk","ecosystem":"Go","purl":"pkg:golang/github.com/cosmos/cosmos-sdk"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"0.47.17"}]}],"database_specific":{"last_known_affected_version_range":"\u003c= 0.47.16","source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-47ww-ff84-4jrg/GHSA-47ww-ff84-4jrg.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"}]}