There have been two upstream security advisories and associated patches published under ISA-2025-001 and ISA-2025-002. ISA-2025-001 affects the IBC-Go package., where non-deterministic JSON unmarshalling of IBC Acknowledgements can result in a chain halt. ISA-2025-002 affects the Cosmos SDK package, where x/group can halt when erroring in EndBlocker.
An issue was discovered in IBC-Go's deserialization of acknowledgements that results in non-deterministic behavior which can halt a chain. Any user that can open an IBC channel can introduce this state to the chain. This an upstream dependency used in cheqd-node, rather than a custom module.
Impact This vulnerability dubbed "Barberry" affects the Cosmos SDK framework used by cheqd-node as base. It impacts the way Cosmos SDK handles vesting accounts, and can therefore be a high-impact vulnerability for any network running the framework. There is no vulnerability in the DID/resource modules for cheqd-node. Patches Node operators are requested to upgrade to cheqd-node v1.4.4. This is not a state-breaking release and does not require a coordinated upgrade …
Impact This vulnerability affects the ibc-go package for those running full nodes, dubbed "Huckleberry". According to their advisory: This issue is low-severity in general, and it has a low impact and likelihood of exploitation. Depending on how a full node is architected, this issue could potentially yield a high or critical severity vulnerability. There is no vulnerability in the DID/resource modules for cheqd-node. Patches Node operators are requested to upgrade …
This vulnerability affects IBC transfers due to a security vulnerability dubbed "Dragonberry" upstream in Cosmos SDK. The vulnerability could allow malicious attackers to compromise chain-to-chain IBC transfers. There is no vulnerability in the DID/resource modules for cheqd-node.