GHSA-23qp-3c2m-xx6w: 
vulnerability analysis and mitigation

A medium severity vulnerability (GHSA-23qp-3c2m-xx6w) was discovered in CosmWasm/wasmvm affecting multiple versions of the software. The vulnerability affects wasmvm versions >= 2.2.0 < 2.2.2, >= 2.1.0 < 2.1.5, >= 2.0.0 < 2.0.6, and < 1.5.8. The issue was reported on November 25, 2024, through the Cosmos bug bounty program and was patched with releases 1.5.8, 2.0.6, 2.1.5, and 2.2.2 on February 4, 2025 (CosmWasm Advisory).

The vulnerability exists in both permissioned and permissionless chains but can only be triggered reliably with a malicious contract. The issue was classified as Medium severity (Moderate + Likely) according to Amulet's Severity Classification Framework. The fix was implemented through patches in multiple versions of the codebase, with specific commits addressing the vulnerability (CosmWasm Advisory).

The vulnerability can be exploited to crash the blockchain. While the vulnerability exists in both permissioned and permissionless chains, permissioned chains are less likely to be affected due to the requirement of a malicious contract to trigger the exploit (CosmWasm Advisory).

Users are advised to update to the patched versions: wasmvm 1.5.8, 2.0.6, 2.1.5, or 2.2.2. The update process involves checking the current wasmvm version, updating the dependency in go.mod, running go mod tidy, and following regular chain upgrade practices. While the fix itself is not consensus breaking, the patch contains another consensus breaking fix and requires a coordinated upgrade (CosmWasm Advisory).