GHSA-fpgj-cr28-fvpx: 
vulnerability analysis and mitigation

A medium severity vulnerability (GHSA-fpgj-cr28-fvpx) was identified in wasmd version 0.52.0, affecting the smart contract query functionality. The vulnerability was discovered on July 25, 2024, through the Cosmos Bug Bounty Program and has been patched in wasmd version 0.53.0 (CosmWasm Advisory).

The vulnerability relates to a non-deterministic modulequerysafe query in the wasmd implementation. The issue was addressed by removing the cosmos.query.v1.modulequerysafe annotation from the SmartContractState RPC in the protocol buffer definition (Wasmd Commit).

The vulnerability was classified as Medium severity according to Amulet's Severity Classification Framework ACMv1, with Moderate impact and Likely likelihood (CosmWasm Advisory).

Users are advised to upgrade to wasmd version 0.53.0 which contains the patch. The upgrade process involves updating the github.com/CosmWasm/wasmd dependency in go.mod to version 0.53.0, running go mod tidy, and following regular chain upgrade practices (CosmWasm Advisory).

The patch release was officially announced on X (formerly Twitter) on August 20, 2024 (CosmWasm Advisory).