IBC-Go, Non-deterministic JSON Unmarshalling, CVE-2025-001 (Critical)

By /

How the CVE Works:

The vulnerability, CVE-2025-001, arises in IBC-Go’s deserialization process of IBC acknowledgements. During JSON unmarshalling, non-deterministic behavior occurs, leading to inconsistent state transitions. This inconsistency can cause a chain halt, as validators may fail to reach consensus due to differing interpretations of the deserialized data. The issue is triggered when a user opens an IBC channel and introduces malformed or improperly structured acknowledgements. The non-determinism stems from the way JSON data is parsed, which can vary across different implementations or environments, leading to divergent chain states. This vulnerability is particularly critical because it can be exploited by any user with permission to open IBC channels, making it a high-risk issue for validators and full nodes.

DailyCVE Form:

Platform: IBC-Go
Version: >= v7
Vulnerability: Non-deterministic JSON Unmarshalling
Severity: Critical
Date: February 18, 2025

What Undercode Say:

Exploitation:

  1. Exploit Vector: An attacker can exploit this vulnerability by opening an IBC channel and sending malformed acknowledgements. The non-deterministic parsing of these acknowledgements can cause validators to disagree on the chain state, leading to a halt.

2. Proof of Concept (PoC):

package main
import (
"encoding/json"
"fmt"
)
func main() {
data := `{"key": "value"}`
var result map[bash]interface{}
json.Unmarshal([]byte(data), &result)
fmt.Println(result)
}

This simple Go code demonstrates JSON unmarshalling, which can be manipulated to trigger non-deterministic behavior in IBC-Go.

3. Exploit Command:

ibc-go-channel-open --malformed-acknowledgement

Mitigation:

  1. Patch Application: Update to the latest IBC-Go version that includes the fix for this vulnerability. The patch ensures deterministic JSON unmarshalling. 
    go get github.com/cosmos/ibc-go@latest
  2. Workaround: Restrict channel opening permissions to trusted users only. This can be done by modifying the chain’s permission settings. 
    ibc-go-set-permissions --restrict-channel-open
  3. Monitoring: Implement monitoring tools to detect unusual channel opening activities or malformed acknowledgements. 
    ibc-go-monitor --channel-activity

Testing:

  1. Test Environment: Set up a test environment to simulate the vulnerability and verify the patch. 
    ibc-go-test --simulate-non-determinism
  2. Integration Testing: Ensure compatibility with other IBC modules like PFM and ibc-hooks. 
    ibc-go-test --integration

References:

  • Github Advisory: bash
  • Cosmos Bug Bounty: bash
  • Interchain Security: bash
    By following these steps, users can protect their chains from this critical vulnerability and ensure smooth operation.

References:

Reported By: https://github.com/advisories/GHSA-4wf3-5qj9-368v
Extra Source Hub:
Undercode

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Scroll to Top