GHSA-7225-m954-23v7: 
vulnerability analysis and mitigation

The vulnerability (GHSA-7225-m954-23v7) affects the cosmossdk.io/math package versions 1.3.0 and below, discovered on October 31, 2024. This high-severity issue involves mismatched bit-length validation between sdk.Int and sdk.Dec types, which can lead to panic conditions when interacting with Dec types in an Int context (GitHub Advisory).

The vulnerability stems from misaligned bit-length validations between sdk.Int and sdk.Dec data types in the cosmossdk.io/math package. The issue has been assigned a CVSS v4.0 score of 8.7 (High) with a vector string of CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N. The vulnerability is classified under CWE-190 and primarily affects the availability of the system while having no impact on confidentiality or integrity (GitHub Advisory).

This vulnerability impacts consumers of the cosmossdk.io/math package, including popular modules such as IBC-Go and tokenfactory (permissionless). When exploited, it can cause panic conditions in systems that interact with the package's APIs or utilize modules consuming this library (GitHub Advisory).

The vulnerability has been patched in cosmossdk.io/math v1.4.0. Users are advised to update their project's go.mod dependency from v1.3.0 to v1.4.0. For users on versions lower than v1.3.0, a coordinated upgrade is recommended before upgrading to v1.4.0 or higher. The patch can be applied without requiring a hard-fork (GitHub Advisory).