Recently, the Tendermint Core team became aware of a high-severity security vulnerability that impacts Tendermint Core v0.34.0 and later. A patch for the issue, which requires no breaking changes, will be released in version v0.34.3 of Tendermint Core, in version v0.40.1 of the Cosmos SDK, and in version 3.0.1 of Gaia at 16:00 UTC on Tuesday, January 19, 2021.
This vulnerability does not impact the current Cosmos Hub, although it is present in Gaia’s scheduled commit for the Stargate Hub Upgrade. Cosmos core developers encourage all Hub operators to choose Gaia v3.0.1 or later when upgrading for Stargate.
This notice has been posted in accordance with our vulnerability disclosure policy. For future security alerts for Tendermint Core, you can also subscribe to our dedicated security mailing list.