CVE-2024-58263
BaseFortify
Publication date: 2025-07-27
Last updated on: 2025-08-07
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| cosmwasm | cosmwasm-std | From 1.3.0 (inc) to 1.4.4 (exc) |
| cosmwasm | cosmwasm-std | From 1.5.0 (inc) to 1.5.4 (exc) |
| cosmwasm | cosmwasm-std | From 2.0.0 (inc) to 2.0.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-190 | The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2024-58263 is an arithmetic overflow vulnerability in the Rust package cosmwasm-std. It occurs because certain mathematical operations use wrapping arithmetic instead of panicking on overflow when handling very large numbers. This can cause incorrect calculations in smart contracts that rely on these operations, affecting functions like Uint256::pow, Int256::pow, Int256::neg, and others. [1]
How can this vulnerability impact me? :
This vulnerability can lead to incorrect contract calculations in smart contracts using the affected cosmwasm-std functions. As a result, it may cause logic errors, financial miscalculations, or unintended behavior in blockchain applications relying on these contracts. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection involves identifying if your system uses a vulnerable version of the cosmwasm-std crate (versions >= 1.3.0 and < 1.4.4, >= 1.5.0 and < 1.5.4, or >= 2.0.0 and < 2.0.2). You can check the version of cosmwasm-std in your Rust project's Cargo.lock or Cargo.toml files. For example, run: `cargo tree | grep cosmwasm-std` or inspect Cargo.lock for the cosmwasm-std version. Additionally, verify if the Rust compiler flag `overflow-checks` is enabled by checking your Cargo.toml or build configuration. There are no specific network detection commands since this is a code-level vulnerability. [1]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately upgrade the cosmwasm-std crate to a fixed version: >= 1.4.4 and < 1.5.0, >= 1.5.4 and < 2.0.0, or >= 2.0.2. Also, ensure that the Rust compiler flag `overflow-checks = true` is enabled to catch integer overflows during compilation. Review your smart contracts for usage of the affected functions (pow and neg operations on Uint256, Uint512, Int256, Int512, and others) and test thoroughly after upgrading. [1]