Advisories for Golang/Github.com/CosmWasm/Wasmd package

CWA-2025-006: Improper error handling may lead to IBC channel opening despite error Severity High (Considerable + Likely)[^1] Affected versions: wasmd 0.60.0 wasmd >= 0.51.0 < 0.55.1 Patched versions: wasmd 0.60.1, 0.55.1, 0.54.1, 0.53.3 Description of the bug A contract erroring during IBC channel opening does not prevent the channel from opening. Applying the patch The patch will be shipped in a wasmd release. You will also have to update libwasmvm …

CWA-2024-009 Severity Low (Marginal + Likely)[^1] Affected versions: wasmd < 0.53.1 Patched versions: wasmd 0.53.2 (please note that wasmd 0.53.1 is broken and must not be used) Description of the bug (Blank for now. We'll add more detail once chains had a chance to upgrade.) Mitigations Apart from upgrading, it is recommended to not open the gRPC and REST APIs of validator nodes to the public internet. Use isolated and …

Component: wasmd Criticality: Medium (ACMv1: I:Moderate; L:Likely) Patched versions: wasmd 0.53.0 See CWA-2024-006 for more details.

Component: wasmd Criticality: High (ACMv1: I:Critical; L:Likely) Patched versions: wasmd 0.53.0, 0.46.0 See CWA-2024-005 for more details.

Component: wasmd Criticality: Low (ACMv1: I:Moderate; L:Unlikely) Patched versions: wasmd 0.52.0 In multiple wasmd message types it was possible to add a large number of addresses which might lead to unexpected resource consumption in ValidateBasic. See CWA-2024-003 for more details.