GHSA-g8w7-7vgg-x7xg: 
vulnerability analysis and mitigation

A high severity stack overflow vulnerability was identified in wasmd affecting versions >= 0.50.0, < 0.53.0 and < 0.46.0. The vulnerability was discovered through the Cosmos Bug Bounty Program and has been assigned the identifier GHSA-g8w7-7vgg-x7xg. The issue has been patched in wasmd versions 0.53.0 and 0.46.0 (CosmWasm Advisory).

The vulnerability is classified as High severity with Critical impact and Likely exploitability according to Amulet's Severity Classification Framework. It has a CVSS v4.0 base score of 8.7 with the following vector: AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N. The vulnerability is related to stack overflow conditions in the wasmd implementation (GitHub Advisory).

The vulnerability primarily affects the availability of the system, as indicated by the CVSS metrics showing High availability impact (VA:H) while maintaining no impact on confidentiality and integrity. This suggests the stack overflow condition could lead to service disruption (GitHub Advisory).

Users are advised to upgrade to the patched versions: wasmd 0.53.0 for Cosmos SDK 0.50 compatible systems or wasmd 0.46.0 for Cosmos SDK 0.47 compatible systems. The patches can be applied by updating the github.com/CosmWasm/wasmd dependency in the go.mod file and running go mod tidy (CosmWasm Advisory).

The vulnerability was publicly announced on X (formerly Twitter) by CosmWasm on August 20, 2024 (CosmWasm Advisory).