Skip to content

cheqd-node Security patch for upstream vulnerabilities in IBC-Go (ISA-2025-001) and Cosmos SDK (ISA-2025-002)

Critical severity GitHub Reviewed Published Mar 13, 2025 in cheqd/cheqd-node • Updated Mar 13, 2025

Package

gomod github.com/cheqd/cheqd-node (Go)

Affected versions

< 3.1.8

Patched versions

3.1.8

Description

Description

There have been two upstream security advisories and associated patches published under ISA-2025-001 and ISA-2025-002.

ISA-2025-001 affects the IBC-Go package., where non-deterministic JSON unmarshalling of IBC Acknowledgements can result in a chain halt.

ISA-2025-002 affects the Cosmos SDK package, where x/group can halt when erroring in EndBlocker.

Impact

If unaddressed, this could result in a chain halt.

Patches

Validators, full nodes, and IBC relayers should upgrade to cheqd-node v3.1.8. This upgrade does not require a software upgrade proposal on-chain and is meant to be non state-breaking.

References

@ankurdotb ankurdotb published to cheqd/cheqd-node Mar 13, 2025
Published to the GitHub Advisory Database Mar 13, 2025
Reviewed Mar 13, 2025
Last updated Mar 13, 2025

Severity

Critical

EPSS score

Weaknesses

CVE ID

No known CVE

GHSA ID

GHSA-h2rp-8vpx-q9r4

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.