Openzeppelin Contracts-Upgradeable vulnerabilities

CVE-2025-54070 [MEDIUM] CWE-125 OpenZeppelin Contracts Bytes's lastIndexOf function with position argument performs out-of-bound memory access on empty buffers OpenZeppelin Contracts Bytes's lastIndexOf function with position argument performs out-of-bound memory access on empty buffers ### Impact The `lastIndexOf(bytes,byte,uint256)` function of the `Bytes.sol` library may access uninitialized memory when the following two conditions hold: 1) the provided buffer length is empty (i.e. `buffer.

CVE-2024-27094 [MEDIUM] CWE-125 OpenZeppelin Contracts base64 encoding may read from potentially dirty memory OpenZeppelin Contracts base64 encoding may read from potentially dirty memory ### Impact The `Base64.encode` function encodes a `bytes` input by iterating over it in chunks of 3 bytes. When this input is not a multiple of 3, the last iteration may read parts of the memory that are beyond the input buffer. Although the `encode` function pads the output for these cases, up to 4 bits of

CVE-2023-49798 [MEDIUM] CWE-670 OpenZeppelin Contracts and Contracts Upgradeable duplicated execution of subcalls in v4.9.4 OpenZeppelin Contracts and Contracts Upgradeable duplicated execution of subcalls in v4.9.4 ### Context Merge conflict resolution issue when porting the v5.0.1 `Multicall` update to the v4.9 branch caused a duplicated line. ### Impact Versions using `Multicall` from `@openzeppelin/[email protected]` and `@openzeppelin/[email protected]` will execute each subcall t

CVE-2023-40014 [MEDIUM] CWE-116 OpenZeppelin Contracts vulnerable to Improper Escaping of Output OpenZeppelin Contracts vulnerable to Improper Escaping of Output ### Impact OpenZeppelin Contracts is a library for secure smart contract development. Starting in version 4.0.0 and prior to version 4.9.3, contracts using `ERC2771Context` along with a custom trusted forwarder may see `_msgSender` return `address(0)` in calls that originate from the forwarder with calldata shorter than 20 bytes. This

CVE-2023-34459 [MEDIUM] CWE-354 OpenZeppelin Contracts using MerkleProof multiproofs may allow proving arbitrary leaves for specific trees OpenZeppelin Contracts using MerkleProof multiproofs may allow proving arbitrary leaves for specific trees ### Impact When the `verifyMultiProof`, `verifyMultiProofCalldata`, `processMultiProof`, or `processMultiProofCalldata` functions are in use, it is possible to construct merkle trees that allow forging a valid multiproof for an arbitrary set of leaves.

CVE-2023-34234 [MEDIUM] CWE-862 OpenZeppelin Contracts's governor proposal creation may be blocked by frontrunning OpenZeppelin Contracts's governor proposal creation may be blocked by frontrunning ### Impact By frontrunning the creation of a proposal, an attacker can become the proposer and gain the ability to cancel it. The attacker can do this repeatedly to try to prevent a proposal from being proposed at all. This impacts the `Governor` contract in v4.9.0 only, and the `GovernorCompatibil

CVE-2023-30542 [HIGH] CWE-20 GovernorCompatibilityBravo may trim proposal calldata GovernorCompatibilityBravo may trim proposal calldata ### Impact The proposal creation entrypoint (`propose`) in `GovernorCompatibilityBravo` allows the creation of proposals with a `signatures` array shorter than the `calldatas` array. This causes the additional elements of the latter to be ignored, and if the proposal succeeds the corresponding actions would eventually execute without any calldata. The `Propos

CVE-2023-30541 [MEDIUM] CWE-436 OpenZeppelin Contracts TransparentUpgradeableProxy clashing selector calls may not be delegated OpenZeppelin Contracts TransparentUpgradeableProxy clashing selector calls may not be delegated ### Impact A function in the implementation contract may be inaccessible if its selector clashes with one of the proxy's own selectors. Specifically, if the clashing function has a different signature with incompatible ABI encoding, the proxy could revert while attempting t

CVE-2023-26488 [MEDIUM] CWE-682 OpenZeppelin Contracts contains Incorrect Calculation OpenZeppelin Contracts contains Incorrect Calculation ### Impact The ERC721Consecutive contract designed for minting NFTs in batches does not update balances when a batch has size 1 and consists of a single token. Subsequent transfers from the receiver of that token may overflow the balance as reported by `balanceOf`. The issue exclusively presents with batches of size 1. ### Patches The issue has been pat

CVE-2022-35961 [HIGH] CWE-354 OpenZeppelin Contracts vulnerable to ECDSA signature malleability OpenZeppelin Contracts vulnerable to ECDSA signature malleability ### Impact The functions `ECDSA.recover` and `ECDSA.tryRecover` are vulnerable to a kind of signature malleability due to accepting EIP-2098 compact signatures in addition to the traditional 65 byte signature format. This is only an issue for the functions that take a single `bytes` argument, and not the functions that take `r, v, s`

CVE-2022-31198 [HIGH] CWE-682 OpenZeppelin Contracts's GovernorVotesQuorumFraction updates to quorum may affect past defeated proposals OpenZeppelin Contracts's GovernorVotesQuorumFraction updates to quorum may affect past defeated proposals ### Impact This issue concerns instances of Governor that use the module `GovernorVotesQuorumFraction`, a mechanism that determines quorum requirements as a percentage of the voting token's total supply. In affected instances, when a proposal is passed to

CVE-2022-35916 [MEDIUM] CWE-669 OpenZeppelin Contracts's Cross chain utilities for Arbitrum L2 see EOA calls as cross chain calls OpenZeppelin Contracts's Cross chain utilities for Arbitrum L2 see EOA calls as cross chain calls ### Impact Contracts using the cross chain utilies for Arbitrum L2, `CrossChainEnabledArbitrumL2` or `LibArbitrumL2`, will classify direct interactions of externally owned accounts (EOAs) as cross chain calls, even though they are not started on L1. This is assessed as

CVE-2022-35915 [MEDIUM] CWE-400 OpenZeppelin Contracts ERC165Checker unbounded gas consumption OpenZeppelin Contracts ERC165Checker unbounded gas consumption ### Impact The target contract of an EIP-165 `supportsInterface` query can cause unbounded gas consumption by returning a lot of data, while it is generally assumed that this operation has a bounded cost. ### Patches The issue has been fixed in v4.7.2. ### References https://github.com/OpenZeppelin/openzeppelin-contracts/pull/3587 ##

CVE-2022-31172 [HIGH] CWE-20 OpenZeppelin Contracts's SignatureChecker may revert on invalid EIP-1271 signers OpenZeppelin Contracts's SignatureChecker may revert on invalid EIP-1271 signers ### Impact `SignatureChecker.isValidSignatureNow` is not expected to revert. However, an incorrect assumption about Solidity 0.8's `abi.decode` allows some cases to revert, given a target contract that doesn't implement EIP-1271 as expected. The contracts that may be affected are those that use `Signature

CVE-2022-31170 [HIGH] CWE-20 OpenZeppelin Contracts's ERC165Checker may revert instead of returning false OpenZeppelin Contracts's ERC165Checker may revert instead of returning false ### Impact `ERC165Checker.supportsInterface` is designed to always successfully return a boolean, and under no circumstance revert. However, an incorrect assumption about Solidity 0.8's `abi.decode` allows some cases to revert, given a target contract that doesn't implement EIP-165 as expected, specifically if it

CVE-2022-39384 [MEDIUM] CWE-665 OpenZeppelin Contracts initializer reentrancy may lead to double initialization OpenZeppelin Contracts initializer reentrancy may lead to double initialization ### Impact Initializer functions that are invoked separate from contract creation (the most prominent example being minimal proxies) may be reentered if they make an untrusted non-view external call. Once an initializer has finished running it can never be re-executed. However, an exception put in place

CVE-2021-41264 [CRITICAL] CWE-665 UUPSUpgradeable vulnerability in @openzeppelin/contracts UUPSUpgradeable vulnerability in @openzeppelin/contracts ### Impact Upgradeable contracts using `UUPSUpgradeable` may be vulnerable to an attack affecting uninitialized implementation contracts. We will update this advisory with more information soon. ### Patches A fix is included in version 4.3.2 of `@openzeppelin/contracts` and `@openzeppelin/contracts-upgradeable`. ### Workarounds Initialize imple

CVE-2021-39168 [CRITICAL] CWE-269 TimelockController vulnerability in OpenZeppelin Contracts TimelockController vulnerability in OpenZeppelin Contracts ### Impact A vulnerability in `TimelockController` allowed an actor with the executor role to take immediate control of the timelock, by resetting the delay to 0 and escalating privileges, thus gaining unrestricted access to assets held in the contract. Instances with the executor role set to "open" allow anyone to use the executor role, thus l