GHSA-mx2j-7cmv-353c: 
Rust vulnerability analysis and mitigation

A medium severity vulnerability (GHSA-mx2j-7cmv-353c) was discovered in CosmWasm/wasmvm that affects multiple versions of the software. The affected versions include wasmvm >= 2.2.0, < 2.2.2; wasmvm >= 2.1.0, < 2.1.5; wasmvm >= 2.0.0, < 2.0.6; and wasmvm < 1.5.8. The vulnerability was discovered on November 24, 2024, and the patch was released on February 4, 2025. The issue has been patched in versions wasmvm 1.5.8, 2.0.6, 2.1.5, and 2.2.2 (CosmWasm Advisory).

The vulnerability allows malicious smart contracts to slow down block production in the CosmWasm blockchain environment. The issue primarily affects non-permissioned chains, as it requires the deployment of a malicious contract to exploit. The vulnerability has been assigned a Medium (Moderate + Likely) severity rating according to Amulet's Severity Classification Framework (CosmWasm Advisory).

The primary impact of this vulnerability is the potential degradation of blockchain performance through slower block production. This could affect the overall throughput and efficiency of affected blockchain networks (CosmWasm Advisory).

The vulnerability has been patched in multiple versions. Users are advised to upgrade to the patched versions: wasmvm 1.5.8, 2.0.6, 2.1.5, or 2.2.2. The upgrade process involves checking the current wasmvm version, updating the dependency in go.mod, running go mod tidy, and following regular chain upgrade practices. The patch is consensus-breaking and requires a coordinated upgrade (CosmWasm Advisory).