Openzeppelin Openzeppelin-Contracts vulnerabilities

CVE-2025-54070 [MEDIUM] CWE-125 CVE-2025-54070: OpenZeppelin Contracts is a library for secure smart contract development. Starting in version 5.2.0 OpenZeppelin Contracts is a library for secure smart contract development. Starting in version 5.2.0 and prior to version 5.4.0, the `lastIndexOf(bytes,byte,uint256)` function of the `Bytes.sol` library may access uninitialized memory when the following two conditions hold: 1) the provided buffer length is empty (i.e. `buffer.length == 0`) and posit

CVE-2024-27094 [HIGH] CWE-125 CVE-2024-27094: OpenZeppelin Contracts is a library for secure smart contract development. The `Base64.encode` funct OpenZeppelin Contracts is a library for secure smart contract development. The `Base64.encode` function encodes a `bytes` input by iterating over it in chunks of 3 bytes. When this input is not a multiple of 3, the last iteration may read parts of the memory that are beyond the input buffer. The vulnerability is fixed in 5.0.2 and 4.9.6.

CVE-2023-49798 [HIGH] CWE-670 CVE-2023-49798: OpenZeppelin Contracts is a library for smart contract development. A merge issue when porting the 5 OpenZeppelin Contracts is a library for smart contract development. A merge issue when porting the 5.0.1 patch to the 4.9 branch caused a line duplication. In the version of `Multicall.sol` released in `@openzeppelin/[email protected]` and `@openzeppelin/[email protected]`, all subcalls are executed twice. Concretely, this exposes a user to un

CVE-2023-40014 [MEDIUM] CWE-116 CVE-2023-40014: OpenZeppelin Contracts is a library for secure smart contract development. Starting in version 4.0.0 OpenZeppelin Contracts is a library for secure smart contract development. Starting in version 4.0.0 and prior to version 4.9.3, contracts using `ERC2771Context` along with a custom trusted forwarder may see `_msgSender` return `address(0)` in calls that originate from the forwarder with calldata shorter than 20 bytes. This combination of circumstan

CVE-2023-34459 [MEDIUM] CWE-354 CVE-2023-34459: OpenZeppelin Contracts is a library for smart contract development. Starting in version 4.7.0 and pr OpenZeppelin Contracts is a library for smart contract development. Starting in version 4.7.0 and prior to version 4.9.2, when the `verifyMultiProof`, `verifyMultiProofCalldata`, `procesprocessMultiProof`, or `processMultiProofCalldat` functions are in use, it is possible to construct merkle trees that allow forging a valid multiproof for an arbitra

CVE-2023-34234 [MEDIUM] CWE-862 CVE-2023-34234: OpenZeppelin Contracts is a library for smart contract development. By frontrunning the creation of OpenZeppelin Contracts is a library for smart contract development. By frontrunning the creation of a proposal, an attacker can become the proposer and gain the ability to cancel it. The attacker can do this repeatedly to try to prevent a proposal from being proposed at all. This impacts the `Governor` contract in v4.9.0 only, and the `GovernorCompa

CVE-2023-30541 [MEDIUM] CWE-436 CVE-2023-30541: OpenZeppelin Contracts is a library for secure smart contract development. A function in the impleme OpenZeppelin Contracts is a library for secure smart contract development. A function in the implementation contract may be inaccessible if its selector clashes with one of the proxy's own selectors. Specifically, if the clashing function has a different signature with incompatible ABI encoding, the proxy could revert while attempting to decode the

CVE-2023-30542 [HIGH] CWE-20 CVE-2023-30542: OpenZeppelin Contracts is a library for secure smart contract development. The proposal creation ent OpenZeppelin Contracts is a library for secure smart contract development. The proposal creation entrypoint (`propose`) in `GovernorCompatibilityBravo` allows the creation of proposals with a `signatures` array shorter than the `calldatas` array. This causes the additional elements of the latter to be ignored, and if the proposal succeeds the correspon

CVE-2023-26488 [MEDIUM] CWE-682 CVE-2023-26488: OpenZeppelin Contracts is a library for secure smart contract development. The ERC721Consecutive con OpenZeppelin Contracts is a library for secure smart contract development. The ERC721Consecutive contract designed for minting NFTs in batches does not update balances when a batch has size 1 and consists of a single token. Subsequent transfers from the receiver of that token may overflow the balance as reported by `balanceOf`. The issue exclusively

CVE-2022-39384 [MEDIUM] CWE-665 CVE-2022-39384: OpenZeppelin Contracts is a library for secure smart contract development. Before version 4.4.1 but OpenZeppelin Contracts is a library for secure smart contract development. Before version 4.4.1 but after 3.2.0, initializer functions that are invoked separate from contract creation (the most prominent example being minimal proxies) may be reentered if they make an untrusted non-view external call. Once an initializer has finished running it can ne

CVE-2022-31198 [HIGH] CWE-682 CVE-2022-31198: OpenZeppelin Contracts is a library for secure smart contract development. This issue concerns insta OpenZeppelin Contracts is a library for secure smart contract development. This issue concerns instances of Governor that use the module `GovernorVotesQuorumFraction`, a mechanism that determines quorum requirements as a percentage of the voting token's total supply. In affected instances, when a proposal is passed to lower the quorum requirements, pa

CVE-2022-35915 [MEDIUM] CWE-400 CVE-2022-35915: OpenZeppelin Contracts is a library for secure smart contract development. The target contract of an OpenZeppelin Contracts is a library for secure smart contract development. The target contract of an EIP-165 `supportsInterface` query can cause unbounded gas consumption by returning a lot of data, while it is generally assumed that this operation has a bounded cost. The issue has been fixed in v4.7.2. Users are advised to upgrade. There are no kno

CVE-2022-35916 [MEDIUM] CWE-669 CVE-2022-35916: OpenZeppelin Contracts is a library for secure smart contract development. Contracts using the cross OpenZeppelin Contracts is a library for secure smart contract development. Contracts using the cross chain utilities for Arbitrum L2, `CrossChainEnabledArbitrumL2` or `LibArbitrumL2`, will classify direct interactions of externally owned accounts (EOAs) as cross chain calls, even though they are not started on L1. This issue has been patched in v4.7

CVE-2022-31172 [HIGH] CWE-20 CVE-2022-31172: OpenZeppelin Contracts is a library for smart contract development. Versions 4.1.0 until 4.7.1 are v OpenZeppelin Contracts is a library for smart contract development. Versions 4.1.0 until 4.7.1 are vulnerable to the SignatureChecker reverting. `SignatureChecker.isValidSignatureNow` is not expected to revert. However, an incorrect assumption about Solidity 0.8's `abi.decode` allows some cases to revert, given a target contract that doesn't implement

CVE-2022-31170 [HIGH] CWE-20 CVE-2022-31170: OpenZeppelin Contracts is a library for smart contract development. Versions 4.0.0 until 4.7.1 are v OpenZeppelin Contracts is a library for smart contract development. Versions 4.0.0 until 4.7.1 are vulnerable to ERC165Checker reverting instead of returning `false`. `ERC165Checker.supportsInterface` is designed to always successfully return a boolean, and under no circumstance revert. However, an incorrect assumption about Solidity 0.8's `abi.decode`

CVE-2021-41264 [CRITICAL] CWE-665 CVE-2021-41264: OpenZeppelin Contracts is a library for smart contract development. In affected versions upgradeable OpenZeppelin Contracts is a library for smart contract development. In affected versions upgradeable contracts using `UUPSUpgradeable` may be vulnerable to an attack affecting uninitialized implementation contracts. A fix is included in version 4.3.2 of `@openzeppelin/contracts` and `@openzeppelin/contracts-upgradeable`. For users unable to upgrad

CVE-2021-39167 [CRITICAL] CWE-269 CVE-2021-39167: OpenZepplin is a library for smart contract development. In affected versions a vulnerability in Tim OpenZepplin is a library for smart contract development. In affected versions a vulnerability in TimelockController allowed an actor with the executor role to escalate privileges. Further details about the vulnerability will be disclosed at a later date. As a workaround revoke the executor role from accounts not strictly under the team's control.