Moderate severityNVD Advisory· Published Aug 1, 2022· Updated Apr 23, 2025
Unbounded gas consumption in @openzeppelin/contracts
CVE-2022-35915
Description
OpenZeppelin Contracts is a library for secure smart contract development. The target contract of an EIP-165 supportsInterface query can cause unbounded gas consumption by returning a lot of data, while it is generally assumed that this operation has a bounded cost. The issue has been fixed in v4.7.2. Users are advised to upgrade. There are no known workarounds for this issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@openzeppelin/contractsnpm | >= 2.0.0, < 4.7.2 | 4.7.2 |
openzeppelin-soliditynpm | >= 2.0.0, <= 4.6.0 | — |
@openzeppelin/contracts-upgradeablenpm | >= 3.2.0, < 4.7.2 | 4.7.2 |
openzeppelin-ethnpm | >= 2.0.0, <= 2.2.0 | — |
Affected products
5- ghsa-coords4 versionspkg:npm/%40openzeppelin/contractspkg:npm/%40openzeppelin/contracts-upgradeablepkg:npm/openzeppelin-ethpkg:npm/openzeppelin-solidity
>= 2.0.0, < 4.7.2+ 3 more
- (no CPE)range: >= 2.0.0, < 4.7.2
- (no CPE)range: >= 3.2.0, < 4.7.2
- (no CPE)range: >= 2.0.0, <= 2.2.0
- (no CPE)range: >= 2.0.0, <= 4.6.0
- Range: >=2.0.0 < 4.7.2
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-7grf-83vw-6f5xghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-35915ghsaADVISORY
- github.com/OpenZeppelin/openzeppelin-contracts/pull/3587ghsax_refsource_MISCWEB
- github.com/OpenZeppelin/openzeppelin-contracts/releases/tag/v4.7.2ghsaWEB
- github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-7grf-83vw-6f5xghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.