data/reports: add GO-2025-3803
- data/reports/GO-2025-3803.yaml
High priority
Fixes golang/vulndb#3803
Change-Id: Ia2d129b8c5436d90bd134ed423a52b51b88686bf
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/688436
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Neal Patel <nealpatel@google.com>
diff --git a/data/osv/GO-2025-3803.json b/data/osv/GO-2025-3803.json
new file mode 100644
index 0000000..5e67d0c
--- /dev/null
+++ b/data/osv/GO-2025-3803.json
@@ -0,0 +1,66 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2025-3803",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "GHSA-p22h-3m2v-cmgh"
+ ],
+ "summary": "Integer Overflow vulnerability in its Validator Rewards pool can cause a chain halt in github.com/cosmos/cosmos-sdk",
+ "details": "Integer Overflow vulnerability in its Validator Rewards pool can cause a chain halt in github.com/cosmos/cosmos-sdk",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/cosmos/cosmos-sdk",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "0.50.14"
+ },
+ {
+ "introduced": "0.52.0-alpha.1"
+ },
+ {
+ "fixed": "0.53.3"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {
+ "imports": [
+ {
+ "path": "github.com/cosmos/cosmos-sdk/x/distribution/keeper",
+ "symbols": [
+ "msgServer.DepositValidatorRewardsPool"
+ ]
+ }
+ ]
+ }
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/cosmos/cosmos-sdk/security/advisories/GHSA-p22h-3m2v-cmgh"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/cosmos/cosmos-sdk/commit/c4a14fa7b6828432fdabdb8b4af68ade9403ce49"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/cosmos/cosmos-sdk/commit/f2e6295b662fdb27ea33da1296c29588ccdaab42"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2025-3803",
+ "review_status": "REVIEWED"
+ }
+}
\ No newline at end of file
diff --git a/data/reports/GO-2025-3803.yaml b/data/reports/GO-2025-3803.yaml
new file mode 100644
index 0000000..a15b542
--- /dev/null
+++ b/data/reports/GO-2025-3803.yaml
@@ -0,0 +1,25 @@
+id: GO-2025-3803
+modules:
+ - module: github.com/cosmos/cosmos-sdk
+ versions:
+ - fixed: 0.50.14
+ - introduced: 0.52.0-alpha.1
+ - fixed: 0.53.3
+ vulnerable_at: 0.53.2
+ packages:
+ - package: github.com/cosmos/cosmos-sdk/x/distribution/keeper
+ symbols:
+ - msgServer.DepositValidatorRewardsPool
+summary: |-
+ Integer Overflow vulnerability in its Validator Rewards pool can cause a chain
+ halt in github.com/cosmos/cosmos-sdk
+ghsas:
+ - GHSA-p22h-3m2v-cmgh
+references:
+ - advisory: https://github.com/cosmos/cosmos-sdk/security/advisories/GHSA-p22h-3m2v-cmgh
+ - fix: https://github.com/cosmos/cosmos-sdk/commit/c4a14fa7b6828432fdabdb8b4af68ade9403ce49
+ - fix: https://github.com/cosmos/cosmos-sdk/commit/f2e6295b662fdb27ea33da1296c29588ccdaab42
+source:
+ id: GHSA-p22h-3m2v-cmgh
+ created: 2025-07-16T20:35:52.509523844Z
+review_status: REVIEWED
