ECDSA signature malleability in OpenZeppelin Contracts
Description
OpenZeppelin Contracts is a library for secure smart contract development. The functions ECDSA.recover and ECDSA.tryRecover are vulnerable to a kind of signature malleability due to accepting EIP-2098 compact signatures in addition to the traditional 65 byte signature format. This is only an issue for the functions that take a single bytes argument, and not the functions that take r, v, s or r, vs as separate arguments. The potentially affected contracts are those that implement signature reuse or replay protection by marking the signature itself as used rather than the signed message or a nonce included in it. A user may take a signature that has already been submitted, submit it again in a different form, and bypass this protection. The issue has been patched in 4.7.3.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
OpenZeppelin Contracts ECDSA functions accept malleable signatures via EIP-2098 format, bypassing replay protection; fixed in 4.7.3.
OpenZeppelin Contracts' ECDSA.recover and ECDSA.tryRecover functions accept both traditional 65-byte signatures and EIP-2098 compact signatures (64 bytes). This dual-format acceptance introduces signature malleability: an attacker can convert a valid signature into a different form while preserving recoverability. The vulnerability affects contracts that mark the signature itself as used, rather than the signed message or a nonce, for replay protection [1].
An attacker who has observed a submitted transaction can take the original signature, convert it to the alternative format, and resubmit the same message with a different signature. No authentication or network position is required beyond visibility of a valid signature. The functions that take separate r, v, s or r, vs parameters are not affected [1].
Successful exploitation allows bypassing replay protection, enabling double-spending or unauthorized repeats of signed actions. The impact depends on the contract's use of signatures; for example, token transfers or voting systems could be compromised.
The issue is patched in OpenZeppelin Contracts v4.7.3. The fix removes support for compact signatures in the bytes-based functions [2][3]. Users should upgrade to v4.7.3 or later and ensure that any use of ECDSA.recover or ECDSA.tryRecover with a single bytes argument does not rely solely on signature uniqueness for replay protection [4].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@openzeppelin/contractsnpm | >= 4.1.0, < 4.7.3 | 4.7.3 |
@openzeppelin/contracts-upgradeablenpm | >= 4.1.0, < 4.7.3 | 4.7.3 |
Affected products
3- ghsa-coords2 versions
>= 4.1.0, < 4.7.3+ 1 more
- (no CPE)range: >= 4.1.0, < 4.7.3
- (no CPE)range: >= 4.1.0, < 4.7.3
- OpenZeppelin/openzeppelin-contractsv5Range: >= 4.1.0, < 4.7.3
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- github.com/advisories/GHSA-4h98-2769-gh6hghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-35961ghsaADVISORY
- github.com/OpenZeppelin/openzeppelin-contracts/commit/d693d89d99325f395182e4f547dbf5ff8e5c3c87ghsaWEB
- github.com/OpenZeppelin/openzeppelin-contracts/pull/3610ghsax_refsource_MISCWEB
- github.com/OpenZeppelin/openzeppelin-contracts/releases/tag/v4.7.3ghsax_refsource_MISCWEB
- github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-4h98-2769-gh6hghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.