Name of the Vulnerable Software and Affected Versions wasmvm versions 2.1.0 through 2.1.2 wasmvm versions 2.0.0 through 2.0.3 wasmvm versions prior to 1.5.5 cosmwasm-vm versions 2.1.0 through 2.1.3 cosmwasm-vm versions 2.0.0 through 2.0.6 cosmwasm-vm versions prior to 1.5.8

Description The issue was found by meadow101 and reported to the Cosmos Bug Bounty Program on HackerOne. A patch has been developed and released. The patch is consensus breaking and requires a coordinated upgrade.

Recommendations For wasmvm versions 2.1.0 through 2.1.2, update to version 2.1.3. For wasmvm versions 2.0.0 through 2.0.3, update to version 2.0.4. For wasmvm versions prior to 1.5.5, update to version 1.5.5. For cosmwasm-vm versions 2.1.0 through 2.1.3, update to version 2.1.4. For cosmwasm-vm versions 2.0.0 through 2.0.6, update to version 2.0.7. For cosmwasm-vm versions prior to 1.5.8, update to version 1.5.8. To apply the patch, check the current wasmvm version, bump the dependency in your go.mod, update static libraries if used, and follow regular practices to deploy chain upgrades.