x/vulndb: potential Go vuln in github.com/MANTRA-Chain/mantrachain: GHSA-qwvm-wqq8-8j69 #3997
Description
Advisory GHSA-qwvm-wqq8-8j69 references a vulnerability in the following Go modules:
| Module |
|---|
| github.com/MANTRA-Chain/mantrachain |
| github.com/MANTRA-Chain/mantrachain/v2 |
| github.com/MANTRA-Chain/mantrachain/v3 |
| github.com/MANTRA-Chain/mantrachain/v4 |
Description:
Impact
send hooks can spend more gas than what's remained in tx, combined with recursive calls in the wasm contract, can amplify the gas consumption exponentially.
Patches
It's patched in v4.0.2 and v5.0.0
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
References:
- ADVISORY: GHSA-qwvm-wqq8-8j69
- ADVISORY: GHSA-qwvm-wqq8-8j69
- REPORT: None MANTRA-Chain/mantrachain#432
No existing reports found with this module or alias.
See doc/quickstart.md for instructions on how to triage this report.
id: GO-ID-PENDING
modules:
- module: github.com/MANTRA-Chain/mantrachain
non_go_versions:
- introduced: TODO (earliest fixed "", vuln range "< 4.0.2")
vulnerable_at: 1.0.3
- module: github.com/MANTRA-Chain/mantrachain/v2
vulnerable_at: 2.0.3
- module: github.com/MANTRA-Chain/mantrachain/v3
vulnerable_at: 3.0.3
- module: github.com/MANTRA-Chain/mantrachain/v4
versions:
- fixed: 4.0.2
vulnerable_at: 4.0.1
summary: |-
github.com/MANTRA-Chain/mantrachain/x/tokenfactory tx gas limit is not enforced
in send hooks in github.com/MANTRA-Chain/mantrachain
cves:
- CVE-2025-61595
ghsas:
- GHSA-qwvm-wqq8-8j69
references:
- advisory: https://github.com/MANTRA-Chain/mantrachain/security/advisories/GHSA-qwvm-wqq8-8j69
- advisory: https://github.com/advisories/GHSA-qwvm-wqq8-8j69
- report: https://github.com/MANTRA-Chain/mantrachain/issues/432
source:
id: GHSA-qwvm-wqq8-8j69
created: 2025-09-30T22:01:44.430682674Z
review_status: UNREVIEWED