{"id":"GHSA-75qh-gg76-p2w4","summary":"CWA-2023-004: Excessive number of function parameters in compiled Wasm","details":"A specifically crafted Wasm file can cause the VM to consume excessive amounts of memory when compiling a contract.\nThis can lead to high memory usage, slowdowns, potentially a crash and can poison a lock in the VM,\npreventing any further interaction with contracts.\n\nFor more information, see [CWA-2023-004](https://github.com/CosmWasm/advisories/blob/main/CWAs/CWA-2023-004.md).\n","aliases":["GO-2024-3101","RUSTSEC-2024-0366"],"modified":"2025-10-28T06:29:18.064669Z","published":"2024-08-27T19:55:40Z","database_specific":{"github_reviewed":true,"nvd_published_at":null,"cwe_ids":["CWE-400"],"severity":"MODERATE","github_reviewed_at":"2024-08-27T19:55:40Z"},"references":[{"type":"WEB","url":"https://forum.cosmos.network/t/high-severity-security-patch-upcoming-on-wed-10th-cwa-2023-004-brought-to-you-by-certik-and-confio/12840"},{"type":"WEB","url":"https://github.com/CosmWasm/advisories/blob/main/CWAs/CWA-2023-004.md"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-75qh-gg76-p2w4"},{"type":"WEB","url":"https://rustsec.org/advisories/RUSTSEC-2024-0366.html"},{"type":"WEB","url":"https://www.certik.com/resources/blog/risk-and-security-enhancement-for-app-chains-an-in-depth-writeup-of-cwa-2023"}],"affected":[{"package":{"name":"cosmwasm-vm","ecosystem":"crates.io","purl":"pkg:cargo/cosmwasm-vm"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.2.8"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/08/GHSA-75qh-gg76-p2w4/GHSA-75qh-gg76-p2w4.json"}},{"package":{"name":"cosmwasm-vm","ecosystem":"crates.io","purl":"pkg:cargo/cosmwasm-vm"},"ranges":[{"type":"SEMVER","events":[{"introduced":"1.3.0"},{"fixed":"1.3.4"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/08/GHSA-75qh-gg76-p2w4/GHSA-75qh-gg76-p2w4.json"}},{"package":{"name":"cosmwasm-vm","ecosystem":"crates.io","purl":"pkg:cargo/cosmwasm-vm"},"ranges":[{"type":"SEMVER","events":[{"introduced":"1.4.0"},{"fixed":"1.4.2"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/08/GHSA-75qh-gg76-p2w4/GHSA-75qh-gg76-p2w4.json"}},{"package":{"name":"cosmwasm-vm","ecosystem":"crates.io","purl":"pkg:cargo/cosmwasm-vm"},"ranges":[{"type":"SEMVER","events":[{"introduced":"1.5.0"},{"fixed":"1.5.1"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/08/GHSA-75qh-gg76-p2w4/GHSA-75qh-gg76-p2w4.json"}},{"package":{"name":"github.com/CosmWasm/wasmvm","ecosystem":"Go","purl":"pkg:golang/github.com/CosmWasm/wasmvm"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.2.5"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/08/GHSA-75qh-gg76-p2w4/GHSA-75qh-gg76-p2w4.json"}},{"package":{"name":"github.com/CosmWasm/wasmvm","ecosystem":"Go","purl":"pkg:golang/github.com/CosmWasm/wasmvm"},"ranges":[{"type":"SEMVER","events":[{"introduced":"1.3.0"},{"fixed":"1.3.1"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/08/GHSA-75qh-gg76-p2w4/GHSA-75qh-gg76-p2w4.json"}},{"package":{"name":"github.com/CosmWasm/wasmvm","ecosystem":"Go","purl":"pkg:golang/github.com/CosmWasm/wasmvm"},"ranges":[{"type":"SEMVER","events":[{"introduced":"1.4.0"},{"fixed":"1.4.2"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/08/GHSA-75qh-gg76-p2w4/GHSA-75qh-gg76-p2w4.json"}},{"package":{"name":"github.com/CosmWasm/wasmvm","ecosystem":"Go","purl":"pkg:golang/github.com/CosmWasm/wasmvm"},"ranges":[{"type":"SEMVER","events":[{"introduced":"1.5.0"},{"fixed":"1.5.1"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/08/GHSA-75qh-gg76-p2w4/GHSA-75qh-gg76-p2w4.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"}]}