Version 5.1.0

@openzeppelin/contracts

OpenZeppelin Contracts is a library for secure smart contract development.

Install Instructions

npm install @openzeppelin/contracts
Current Version Release Date October 17, 2024

Find @openzeppelin/contracts vulnerabilities in your supply chain.

Scan for Free

@openzeppelin/contracts Vulnerabilities

Sort by
icon CVE (Latest)
  • icon CVE (Latest)
  • icon CVE (Oldest)
  • icon CVSS Score (Highest)
  • icon CVSS Score (Lowest)
CVE question mark icon CVSS Score question mark icon CWE(s) question mark icon EPSS Score question mark icon EPSS % question mark icon Impacted Versions
CVE-2022-31170 High 7.5 CWE-252 0.00062 0.28322
  • 4.0.0–4.7.0-rc.0
CVE-2022-31172 High 7.5 CWE-347 0.00062 0.28322
  • 4.1.0–4.7.0-rc.0
CVE-2022-31198 High 7.5 CWE-682 0.00062 0.28322
  • 4.3.0–4.7.1
CVE-2022-35915 Medium 5.3 CWE-770, CWE-400 0.00091 0.4051
  • 4.0.0–4.7.1
  • 3.0.0–3.4.2-solc-0.7
  • 2.3.0–2.5.1
CVE-2022-35916 Medium 5.3 CWE-669 0.00061 0.27716
  • 4.6.0–4.7.1
CVE-2022-35961 Medium 6.5 CWE-354 0.00061 0.27594
  • 4.1.0–4.7.2
CVE-2023-30541 Medium 5.3 CWE-436 0.00103 0.43384
  • 4.0.0–4.8.2
  • 3.2.0–3.4.2-solc-0.7
CVE-2023-30542 High 8.8 CWE-20 0.00157 0.53269
  • 4.3.0–4.8.2
CVE-2023-34234 Medium 5.3 CWE-862 0.00094 0.41252
  • 4.3.0–4.9.0-rc.1
CVE-2023-40014 Medium 5.3 CWE-116 0.00131 0.49456
  • 4.0.0–4.9.2
CVE-2024-27094 Medium 6.5 CWE-125 0.00045 0.17206
  • 5.0.0–5.0.1
  • 4.5.0–4.9.5
CVE-2021-46320 High 7.5 CWE-665 0.00084 0.37235
  • 4.0.0–4.4.0-rc.1
  • 3.0.0–3.4.2-solc-0.7
  • 2.3.0–2.5.1
CVE-2022-39384 Medium 5.6 CWE-665 0.00141 0.51101
  • 4.0.0–4.4.0-rc.1
  • 3.2.0–3.4.2-solc-0.7
CVE-2023-34459 Medium 5.9 CWE-354 0.00098 0.42421
  • 4.7.0–4.9.1
CVE-2021-39167 High 9.8 CWE-269 0.00245 0.64941
  • 4.0.0–4.3.0-rc.0
  • 3.3.0–3.4.2-solc-0.7
CVE-2021-41264 High 9.8 CWE-665 0.00352 0.72673
  • 4.1.0–4.3.1
CVE-2023-26488 Medium 6.5 CWE-682 0.00065 0.30635
  • 4.8.0–4.8.1
CVE-2023-49798 High 7.5 CWE-670 0.00051 0.21407
  • 4.9.4

@openzeppelin/contracts Vulnerability Remediation Guidance

CVE Description Full list of Impacted Versions Fix
CVE-2024-27094 OpenZeppelin Contracts is a library for secure smart contract development. The `Base64.encode` function encodes a `bytes` input by iterating over it in chunks of 3 bytes. When this input is not a multiple of 3, the last iteration may read parts of the memory that are beyond the input buffer. The vulnerability is fixed in 5.0.2 and 4.9.6. 4.6.0, 4.7.1, 4.7.0-rc.0, 4.6.0-rc.0, 4.7.0, 4.5.0, 4.7.3, 4.9.2 (Show all) Minor → 4.9.6
CVE-2023-49798 OpenZeppelin Contracts is a library for smart contract development. A merge issue when porting the 5.0.1 patch to the 4.9 branch caused a line duplication. In the version of `Multicall.sol` released in `@openzeppelin/contracts@4.9.4` and `@openzeppelin/contracts-upgradeable@4.9.4`, all subcalls are executed twice. Concretely, this exposes a user to unintentionally duplicate operations like asset transfers. The duplicated delegatecall was removed in version 4.9.5. The 4.9.4 version is marked as deprecated. Users are advised to upgrade. There are no known workarounds for this issue. 4.9.4 Patch → 4.9.6
CVE-2023-40014 OpenZeppelin Contracts is a library for secure smart contract development. Starting in version 4.0.0 and prior to version 4.9.3, contracts using `ERC2771Context` along with a custom trusted forwarder may see `_msgSender` return `address(0)` in calls that originate from the forwarder with calldata shorter than 20 bytes. This combination of circumstances does not appear to be common, in particular it is not the case for `MinimalForwarder` from OpenZeppelin Contracts, or any deployed forwarder the team is aware of, given that the signer address is appended to all calls that originate from these forwarders. The problem has been patched in v4.9.3. 4.6.0, 4.4.0, 4.7.1, 4.3.0-rc.0, 4.7.0-rc.0, 4.5.0-rc.0, 4.2.0-rc.0, 4.2.0 (Show all) Minor → 4.9.6
CVE-2023-34459 OpenZeppelin Contracts is a library for smart contract development. Starting in version 4.7.0 and prior to version 4.9.2, when the `verifyMultiProof`, `verifyMultiProofCalldata`, `procesprocessMultiProof`, or `processMultiProofCalldat` functions are in use, it is possible to construct merkle trees that allow forging a valid multiproof for an arbitrary set of leaves. A contract may be vulnerable if it uses multiproofs for verification and the merkle tree that is processed includes a node with value 0 at depth 1 (just under the root). This could happen inadvertedly for balanced trees with 3 leaves or less, if the leaves are not hashed. This could happen deliberately if a malicious tree builder includes such a node in the tree. A contract is not vulnerable if it uses single-leaf proving (`verify`, `verifyCalldata`, `processProof`, or `processProofCalldata`), or if it uses multiproofs with a known tree that has hashed leaves. Standard merkle trees produced or validated with the @openzeppelin/merkle-tree library are safe. The problem has been patched in version 4.9.2. Some workarounds are available. For those using multiproofs: When constructing merkle trees hash the leaves and do not insert empty nodes in your trees. Using the @openzeppelin/merkle-tree package eliminates this issue. Do not accept user-provided merkle roots without reconstructing at least the first level of the tree. Verify the merkle tree structure by reconstructing it from the leaves. 4.7.1, 4.7.0, 4.7.3, 4.7.2, 4.8.1, 4.8.2, 4.8.3, 4.9.0 (Show all) Minor → 4.9.6
CVE-2023-34234 OpenZeppelin Contracts is a library for smart contract development. By frontrunning the creation of a proposal, an attacker can become the proposer and gain the ability to cancel it. The attacker can do this repeatedly to try to prevent a proposal from being proposed at all. This impacts the `Governor` contract in v4.9.0 only, and the `GovernorCompatibilityBravo` contract since v4.3.0. This problem has been patched in 4.9.1 by introducing opt-in frontrunning protection. Users are advised to upgrade. Users unable to upgrade may submit the proposal creation transaction to an endpoint with frontrunning protection as a workaround. 4.6.0, 4.4.0, 4.7.1, 4.7.0-rc.0, 4.5.0-rc.0, 4.3.1, 4.3.2, 4.4.0-rc.1 (Show all) Minor → 4.9.6
CVE-2023-30542 OpenZeppelin Contracts is a library for secure smart contract development. The proposal creation entrypoint (`propose`) in `GovernorCompatibilityBravo` allows the creation of proposals with a `signatures` array shorter than the `calldatas` array. This causes the additional elements of the latter to be ignored, and if the proposal succeeds the corresponding actions would eventually execute without any calldata. The `ProposalCreated` event correctly represents what will eventually execute, but the proposal parameters as queried through `getActions` appear to respect the original intended calldata. This issue has been patched in 4.8.3. As a workaround, ensure that all proposals that pass through governance have equal length `signatures` and `calldatas` parameters. 4.6.0, 4.4.0, 4.7.1, 4.7.0-rc.0, 4.5.0-rc.0, 4.3.1, 4.3.2, 4.4.0-rc.1 (Show all) Minor → 4.9.6
CVE-2023-30541 OpenZeppelin Contracts is a library for secure smart contract development. A function in the implementation contract may be inaccessible if its selector clashes with one of the proxy's own selectors. Specifically, if the clashing function has a different signature with incompatible ABI encoding, the proxy could revert while attempting to decode the arguments from calldata. The probability of an accidental clash is negligible, but one could be caused deliberately and could cause a reduction in availability. The issue has been fixed in version 4.8.3. As a workaround if a function appears to be inaccessible for this reason, it may be possible to craft the calldata such that ABI decoding does not fail at the proxy and the function is properly proxied through. 4.6.0, 4.4.0, 4.7.1, 4.3.0-rc.0, 4.7.0-rc.0, 4.5.0-rc.0, 4.2.0-rc.0, 4.2.0 (Show all) Minor → 4.9.6
CVE-2023-26488 OpenZeppelin Contracts is a library for secure smart contract development. The ERC721Consecutive contract designed for minting NFTs in batches does not update balances when a batch has size 1 and consists of a single token. Subsequent transfers from the receiver of that token may overflow the balance as reported by `balanceOf`. The issue exclusively presents with batches of size 1. The issue has been patched in 4.8.2. 4.8.1, 4.8.0 Minor → 4.9.6
CVE-2022-39384 OpenZeppelin Contracts is a library for secure smart contract development. Before version 4.4.1 but after 3.2.0, initializer functions that are invoked separate from contract creation (the most prominent example being minimal proxies) may be reentered if they make an untrusted non-view external call. Once an initializer has finished running it can never be re-executed. However, an exception put in place to support multiple inheritance made reentrancy possible in the scenario described above, breaking the expectation that there is a single execution. Note that upgradeable proxies are commonly initialized together with contract creation, where reentrancy is not feasible, so the impact of this issue is believed to be minor. This issue has been patched, please upgrade to version 4.4.1. As a workaround, avoid untrusted external calls during initialization. 4.4.0, 4.3.0-rc.0, 4.2.0-rc.0, 4.2.0, 4.0.0-rc.0, 3.3.0-solc-0.7, 3.2.1-solc-0.7, 3.4.0 (Show all) Minor → 4.9.6
CVE-2022-35961 OpenZeppelin Contracts is a library for secure smart contract development. The functions `ECDSA.recover` and `ECDSA.tryRecover` are vulnerable to a kind of signature malleability due to accepting EIP-2098 compact signatures in addition to the traditional 65 byte signature format. This is only an issue for the functions that take a single `bytes` argument, and not the functions that take `r, v, s` or `r, vs` as separate arguments. The potentially affected contracts are those that implement signature reuse or replay protection by marking the signature itself as used rather than the signed message or a nonce included in it. A user may take a signature that has already been submitted, submit it again in a different form, and bypass this protection. The issue has been patched in 4.7.3. 4.6.0, 4.4.0, 4.7.1, 4.3.0-rc.0, 4.7.0-rc.0, 4.5.0-rc.0, 4.2.0-rc.0, 4.2.0 (Show all) Minor → 4.9.6
CVE-2022-35916 OpenZeppelin Contracts is a library for secure smart contract development. Contracts using the cross chain utilities for Arbitrum L2, `CrossChainEnabledArbitrumL2` or `LibArbitrumL2`, will classify direct interactions of externally owned accounts (EOAs) as cross chain calls, even though they are not started on L1. This issue has been patched in v4.7.2. Users are advised to upgrade. There are no known workarounds for this issue. 4.6.0, 4.7.1, 4.7.0-rc.0, 4.7.0 Minor → 4.9.6
CVE-2022-35915 OpenZeppelin Contracts is a library for secure smart contract development. The target contract of an EIP-165 `supportsInterface` query can cause unbounded gas consumption by returning a lot of data, while it is generally assumed that this operation has a bounded cost. The issue has been fixed in v4.7.2. Users are advised to upgrade. There are no known workarounds for this issue. 4.6.0, 4.4.0, 4.7.1, 4.3.0-rc.0, 4.7.0-rc.0, 4.5.0-rc.0, 4.2.0-rc.0, 4.2.0 (Show all) Minor → 4.9.6
CVE-2022-31198 OpenZeppelin Contracts is a library for secure smart contract development. This issue concerns instances of Governor that use the module `GovernorVotesQuorumFraction`, a mechanism that determines quorum requirements as a percentage of the voting token's total supply. In affected instances, when a proposal is passed to lower the quorum requirements, past proposals may become executable if they had been defeated only due to lack of quorum, and the number of votes it received meets the new quorum requirement. Analysis of instances on chain found only one proposal that met this condition, and we are actively monitoring for new occurrences of this particular issue. This issue has been patched in v4.7.2. Users are advised to upgrade. Users unable to upgrade should consider avoiding lowering quorum requirements if a past proposal was defeated for lack of quorum. 4.6.0, 4.4.0, 4.7.1, 4.7.0-rc.0, 4.5.0-rc.0, 4.3.1, 4.3.2, 4.4.0-rc.1 (Show all) Minor → 4.9.6
CVE-2022-31172 OpenZeppelin Contracts is a library for smart contract development. Versions 4.1.0 until 4.7.1 are vulnerable to the SignatureChecker reverting. `SignatureChecker.isValidSignatureNow` is not expected to revert. However, an incorrect assumption about Solidity 0.8's `abi.decode` allows some cases to revert, given a target contract that doesn't implement EIP-1271 as expected. The contracts that may be affected are those that use `SignatureChecker` to check the validity of a signature and handle invalid signatures in a way other than reverting. The issue was patched in version 4.7.1. 4.6.0, 4.4.0, 4.3.0-rc.0, 4.7.0-rc.0, 4.5.0-rc.0, 4.2.0-rc.0, 4.2.0, 4.3.1 (Show all) Minor → 4.9.6
CVE-2022-31170 OpenZeppelin Contracts is a library for smart contract development. Versions 4.0.0 until 4.7.1 are vulnerable to ERC165Checker reverting instead of returning `false`. `ERC165Checker.supportsInterface` is designed to always successfully return a boolean, and under no circumstance revert. However, an incorrect assumption about Solidity 0.8's `abi.decode` allows some cases to revert, given a target contract that doesn't implement EIP-165 as expected, specifically if it returns a value other than 0 or 1. The contracts that may be affected are those that use `ERC165Checker` to check for support for an interface and then handle the lack of support in a way other than reverting. The issue was patched in version 4.7.1. 4.6.0, 4.4.0, 4.3.0-rc.0, 4.7.0-rc.0, 4.5.0-rc.0, 4.2.0-rc.0, 4.2.0, 4.3.1 (Show all) Minor → 4.9.6
CVE-2021-46320 In OpenZeppelin <=v4.4.0, initializer functions that are invoked separate from contract creation (the most prominent example being minimal proxies) may be reentered if they make an untrusted non-view external call. Once an initializer has finished running it can never be re-executed. However, an exception put in place to support multiple inheritance made reentrancy possible, breaking the expectation that there is a single execution. 4.4.0, 4.3.0-rc.0, 4.2.0-rc.0, 4.2.0, 4.0.0-rc.0, 3.3.0-solc-0.7, 3.2.1-solc-0.7, 3.1.0 (Show all) Minor → 4.9.6
CVE-2021-41264 OpenZeppelin Contracts is a library for smart contract development. In affected versions upgradeable contracts using `UUPSUpgradeable` may be vulnerable to an attack affecting uninitialized implementation contracts. A fix is included in version 4.3.2 of `@openzeppelin/contracts` and `@openzeppelin/contracts-upgradeable`. For users unable to upgrade; initialize implementation contracts using `UUPSUpgradeable` by invoking the initializer function (usually called `initialize`). An example is provided [in the forum](https://forum.openzeppelin.com/t/security-advisory-initialize-uups-implementation-contracts/15301). 4.3.0-rc.0, 4.2.0-rc.0, 4.2.0, 4.3.1, 4.3.0, 4.1.0 Patch → 4.9.6
CVE-2021-39167 OpenZepplin is a library for smart contract development. In affected versions a vulnerability in TimelockController allowed an actor with the executor role to escalate privileges. Further details about the vulnerability will be disclosed at a later date. As a workaround revoke the executor role from accounts not strictly under the team's control. We recommend revoking all executors that are not also proposers. When applying this mitigation, ensure there is at least one proposer and executor remaining. 4.3.0-rc.0, 4.2.0-rc.0, 4.2.0, 3.4.0, 3.4.2-solc-0.7, 3.4.1, 3.4.0-rc.0, 3.4.1-solc-0.7-2 (Show all) Patch → 4.9.6

Instantly see if these @openzeppelin/contracts vulnerabilities affect your code.

Scan for Free