CVE-2025-25500: CosmWasm Allows Bypass of Capability Restrictions in Blockchains
An issue in CosmWasm prior to v2.2.0 allows attackers to bypass capability restrictions in blockchains by exploiting a lack of runtime capability validation. This allows attackers to deploy a contract without capability enforcement, and execute unauthorized actions on the blockchain.
References
- gist.github.com/H3T76/8096a6ff9410f3a6d9a25db1a68ae657
- github.com/CVEProject/cveproject.github.io/blob/gh-pages/requester/reservation-guidelines.md
- github.com/CosmWasm/cosmwasm
- github.com/CosmWasm/cosmwasm/blob/v2.2.0/CHANGELOG.md
- github.com/advisories/GHSA-cg8r-jwg7-r2x4
- nvd.nist.gov/vuln/detail/CVE-2025-25500
Detect and mitigate CVE-2025-25500 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →