GHSA-8wcc-m6j2-qxvm: Transaction decoding may result in a stack overflow or resource exhaustion
ASA-2024-0012 When decoding a maliciously formed packet with a deeply-nested structure, it may be possible for a stack overflow to occur and result in a network halt. This was addressed by adding a recursion limit while decoding the packet. ASA-2024-0013 Nested messages in a transaction can consume exponential cpu and memory on UnpackAny calls. Themax_tx_bytes sets a limit for external TX but is not applied for internal messages emitted by wasm contracts or a malicious validator block. This may result in a node crashing due to resource exhaustion. This was addressed by adding additional validation to prevent this condition.
References
- github.com/advisories/GHSA-8wcc-m6j2-qxvm
- github.com/cosmos/cosmos-sdk
- github.com/cosmos/cosmos-sdk/commit/c6b1bdcd5628e3e425a3f02881d3c7db1d7af653
- github.com/cosmos/cosmos-sdk/releases/tag/v0.47.15
- github.com/cosmos/cosmos-sdk/releases/tag/v0.50.11
- github.com/cosmos/cosmos-sdk/security/advisories/GHSA-8wcc-m6j2-qxvm
Detect and mitigate GHSA-8wcc-m6j2-qxvm with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →