GHSA-33cr-m232-xqch: cheqd-node affected by Non-deterministic JSON Unmarshalling of IBC Acknowledgement

March 11, 2025 (updated March 14, 2025)

An issue was discovered in IBC-Go’s deserialization of acknowledgements that results in non-deterministic behavior which can halt a chain. Any user that can open an IBC channel can introduce this state to the chain.

This an upstream dependency used in cheqd-node, rather than a custom module.

References

github.com/advisories/GHSA-33cr-m232-xqch
github.com/cheqd/cheqd-node
github.com/cheqd/cheqd-node/security/advisories/GHSA-33cr-m232-xqch
github.com/cosmos/ibc-go/commit/59987d52d959dc5876ffd4f307c9b33a52a43748
github.com/cosmos/ibc-go/security/advisories/GHSA-jg6f-48ff-5xrw
pkg.go.dev/vuln/GO-2025-3514

Detect and mitigate GHSA-33cr-m232-xqch with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →