High severity security patch upcoming on Wed 10th: CWA-2023-004 (brought to you by CertiK and Confio)

Dear community,

on Wednesday, January 10th between 10:00 and 12:00 Berlin time Confio will release a fix for a high severity security issue in the CosmWasm virtual machine tracked as CWA-2023-004. The patch for this issue will be distributed and communicated via the regular CosmWasm release process.

This issue impacts the availability of a chain running CosmWasm. Chains that use CosmWasm with permissioned uploads or instantiations are not directly at risk. We advise chains that support permissionless contract instantiation uploads to be prepared to apply the patch and to coordinate network upgrades as quickly as their processes allow to fully remediate the issue.

The patch is a non consensus breaking security fix and can be applied in-place. Instructions will be provided as part of the release process. We anticipate that the patch will be a simple, straightforward fix for chain maintainers as it is a matter of updating the wasmvm Go dependency and rebuilding the application.

Patches will be provided for wasmvm 1.2, 1.3, 1.4 and 1.5. Please note that 1.2 reached end of life and this is the last patch for this version.

Update 2024-01-09

I had to make a small correction to the announcement: Chains that allow permissionless uploads and permissioned instantiations are partially affected as well and should upgrade. A chain is only safe if no malicious Wasm can be stored.


The patch for CWA-2023-004 is now public. In advisories/CWAs/CWA-2023-004.md at main · CosmWasm/advisories · GitHub we added all relevant information for upgrading. “Installing the patch” includes some hints for how to do the upgrade.

At this point I’d like to thank the CertiK team for responsibly disclosing the issue and collaborating on the patch.

1 Like

Thanks very much for the fix and the hints sir!

I would also like to note that @simon_warta provided one-on-one support when it was needed, and that the back port of the fix to 1.2x was not necessary but done anyway and Simon and Confio have my sincere appreciation for this.