High severityNVD Advisory· Published Jul 21, 2022· Updated Apr 23, 2025
OpenZeppelin Contracts's SignatureChecker may revert on invalid EIP-1271 signers
CVE-2022-31172
Description
OpenZeppelin Contracts is a library for smart contract development. Versions 4.1.0 until 4.7.1 are vulnerable to the SignatureChecker reverting. SignatureChecker.isValidSignatureNow is not expected to revert. However, an incorrect assumption about Solidity 0.8's abi.decode allows some cases to revert, given a target contract that doesn't implement EIP-1271 as expected. The contracts that may be affected are those that use SignatureChecker to check the validity of a signature and handle invalid signatures in a way other than reverting. The issue was patched in version 4.7.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@openzeppelin/contractsnpm | >= 4.1.0, < 4.7.1 | 4.7.1 |
@openzeppelin/contracts-upgradeablenpm | >= 4.1.0, < 4.7.1 | 4.7.1 |
Affected products
3- ghsa-coords2 versions
>= 4.1.0, < 4.7.1+ 1 more
- (no CPE)range: >= 4.1.0, < 4.7.1
- (no CPE)range: >= 4.1.0, < 4.7.1
- Range: >= 4.1.0, < 4.7.1
Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-4g63-c64m-25w9ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-31172ghsaADVISORY
- github.com/OpenZeppelin/openzeppelin-contracts/pull/3552ghsax_refsource_MISCWEB
- github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-4g63-c64m-25w9ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.