Skip to content

ViperStrike

High
agouin published GHSA-w6rp-vxj2-fjhr Oct 25, 2023

Package

gomod github.com/cosmos/ibc-apps/middleware/packet-forward-middleware (Go)

Affected versions

v4.1.0,v5.2.0,v6.1.0

Patched versions

v4.1.1,v5.2.1,v6.1.1

Description

Impact

Chains running any of the following packet-forward-middleware versions are subject to potential chain-halt due to error non-determinism:
v4.1.0
v5.2.0
v6.1.0

Strangelove has already begun disclosure by contacting impacted parties. If you have not been contacted, you are likely not impacted.

This issue was reported by the Osmosis team via the Cosmos HackerOne Program, which now includes rewards for valid bugs reported in the Packet Forward Middleware repository. If you believe you have found a bug in the Interchain Stack or would like to contribute to the program by reporting a bug, please see https://hackerone.com/cosmos.

Patches

Please patch at your earliest convenience by applying one of the following patch versions, respective to the chain's ibc-go major version:
v4.1.1
v5.2.1
v6.1.1

More details coming soon...

Severity

High

CVE ID

No known CVE

Weaknesses

No CWEs