PT-2025-10986 — Deserialization of Untrusted Data in Go Github.Com/Cheqd/Cheqd-Node

PT-2025-10986 · Go · Github.Com/Cheqd/Cheqd-Node

Published

2025-03-11

Updated

2025-03-11

CVSS v4.0

9.3

Critical

Vector

AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Description

An issue was discovered in IBC-Go's deserialization of acknowledgements that results in non-deterministic behavior which can halt a chain. Any user that can open an IBC channel can introduce this state to the chain.

This an upstream dependency used in cheqd-node, rather than a custom module.

Impact

Could result in a chain halt.

Patches

Validators, full nodes, and IBC relayers should upgrade to cheqd-node v3.1.7. This upgrade does not require a software upgrade proposal on-chain and is meant to be non state-breaking.

References

See ASA-2025-004: Non-deterministic JSON Unmarshalling of IBC Acknowledgement can result in a chain halt upstream on IBC-Go.

Fix

Deserialization of Untrusted Data

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-502

Related Identifiers

GHSA-33CR-M232-XQCH

Affected Products

Github.Com/Cheqd/Cheqd-Node