Unbounded gas consumption in @openzeppelin/contracts
Description
OpenZeppelin Contracts is a library for secure smart contract development. The target contract of an EIP-165 supportsInterface query can cause unbounded gas consumption by returning a lot of data, while it is generally assumed that this operation has a bounded cost. The issue has been fixed in v4.7.2. Users are advised to upgrade. There are no known workarounds for this issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
OpenZeppelin Contracts allows unbounded gas consumption via EIP-165 supportsInterface queries, fixed in v4.7.2.
Vulnerability
The EIP-165 supportsInterface function in OpenZeppelin Contracts is designed to query whether a contract implements a given interface. The vulnerability arises because the target contract of such a query can return an arbitrarily large amount of data, leading to unbounded gas consumption. This behavior violates the assumption that supportsInterface has a bounded cost [1][2].
Exploitation
An attacker can exploit this by crafting a malicious contract that returns a large payload in response to a supportsInterface query. Any contract that uses OpenZeppelin's ERC165Checker to verify interface support may then be forced to consume excessive gas when interacting with the attacker's contract. No special privileges are required; the attacker only needs the target contract to call supportsInterface on their malicious contract [3].
Impact
If an attacker triggers unbounded gas consumption, the affected contract's operations may fail due to out-of-gas errors, potentially disrupting functionality or enabling denial-of-service attacks. This can be particularly severe in multi-party smart contract systems where reliability is critical [1][3].
Mitigation
The issue is patched in OpenZeppelin Contracts version 4.7.2. All users are advised to upgrade. No workarounds are available. The fix limits the amount of data read from the supportsInterface return value [3][4].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@openzeppelin/contractsnpm | >= 2.0.0, < 4.7.2 | 4.7.2 |
openzeppelin-soliditynpm | >= 2.0.0, <= 4.6.0 | — |
@openzeppelin/contracts-upgradeablenpm | >= 3.2.0, < 4.7.2 | 4.7.2 |
openzeppelin-ethnpm | >= 2.0.0, <= 2.2.0 | — |
Affected products
5- ghsa-coords4 versionspkg:npm/%40openzeppelin/contractspkg:npm/%40openzeppelin/contracts-upgradeablepkg:npm/openzeppelin-ethpkg:npm/openzeppelin-solidity
>= 2.0.0, < 4.7.2+ 3 more
- (no CPE)range: >= 2.0.0, < 4.7.2
- (no CPE)range: >= 3.2.0, < 4.7.2
- (no CPE)range: >= 2.0.0, <= 2.2.0
- (no CPE)range: >= 2.0.0, <= 4.6.0
- OpenZeppelin/openzeppelin-contractsv5Range: >=2.0.0 < 4.7.2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-7grf-83vw-6f5xghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-35915ghsaADVISORY
- github.com/OpenZeppelin/openzeppelin-contracts/pull/3587ghsax_refsource_MISCWEB
- github.com/OpenZeppelin/openzeppelin-contracts/releases/tag/v4.7.2ghsaWEB
- github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-7grf-83vw-6f5xghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.