Skip to content

[TRST-1.2-R2] Dependencies with known vulnerabilities #538

New issue
New issue
Open
Open
[TRST-1.2-R2] Dependencies with known vulnerabilities#538
Labels
enhancementNew feature or request
@0xHansLee

Description

@0xHansLee
0xHansLee
opened on May 7, 2025

Description and context

The codebase includes multiple dependencies that have known security vulnerabilities. The affected dependencies and their respective vulnerabilities include:

  • net/http - Request smuggling due to acceptance of invalid chunked data in net/http
    • Impact: The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext.
    • Reference: CVE-2025-22871
  • github.com/cosmos/cosmos-sdk - Transaction decoding may result in a stack overflow or resource exhaustion
    • Impact: Transaction decoding may result in a stack overflow or resource exhaustion
    • Reference: GHSA-8wcc-m6j2-qxvm

Suggested solution

While the aforementioned vulnerabilities do not directly impact the chain, it is recommended updating the affected dependencies to their latest patched versions.

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions