GHSA-jg6f-48ff-5xrw: IBC-Go has Non-deterministic JSON Unmarshalling of IBC Acknowledgement

February 28, 2025

Name: ASA-2025-004: Non-deterministic JSON Unmarshalling of IBC Acknowledgement can result in a chain halt Component: IBC-Go Criticality: Critical (Considerable Impact; Almost Certain Likelihood per ACMv1.2) Affected versions: IBC-Go >= v7; Earlier IBC-Go versions may also be affected. Affected users: Validators, Full nodes, IBC Middleware authors

References

github.com/advisories/GHSA-jg6f-48ff-5xrw
github.com/cosmos/ibc-go
github.com/cosmos/ibc-go/commit/59987d52d959dc5876ffd4f307c9b33a52a43748
github.com/cosmos/ibc-go/commit/9869b3c6f7eb05a935b1eb33611c5406f68438a5
github.com/cosmos/ibc-go/security/advisories/GHSA-jg6f-48ff-5xrw

Code Behaviors & Features

Detect and mitigate GHSA-jg6f-48ff-5xrw with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →