OpenZeppelin Contracts's ERC2771Context with custom forwarder may lead to zero-valued _msgSender
Description
OpenZeppelin Contracts is a library for secure smart contract development. Starting in version 4.0.0 and prior to version 4.9.3, contracts using ERC2771Context along with a custom trusted forwarder may see _msgSender return address(0) in calls that originate from the forwarder with calldata shorter than 20 bytes. This combination of circumstances does not appear to be common, in particular it is not the case for MinimalForwarder from OpenZeppelin Contracts, or any deployed forwarder the team is aware of, given that the signer address is appended to all calls that originate from these forwarders. The problem has been patched in v4.9.3.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
OpenZeppelin Contracts 4.0.0–4.9.2 ERC2771Context can return address(0) for _msgSender when calldata is shorter than 20 bytes, patched in 4.9.3.
In OpenZeppelin Contracts versions 4.0.0 to 4.9.2, the ERC2771Context contract contains a vulnerability where _msgSender returns address(0) when a call originates from a trusted forwarder with calldata shorter than 20 bytes [1]. This behavior deviates from the ERC-2771 standard, which expects the forwarder's address to be returned in such cases.
Exploitation requires a custom trusted forwarder that does not append the original signer address to the call data when the calldata is short. The OpenZeppelin MinimalForwarder always appends the signer address, making it unaffected. The vulnerability is therefore limited to non-standard forwarder implementations [4].
An attacker could potentially exploit this to manipulate sender identity, but the practical impact is constrained by the uncommon scenario. The issue has been addressed in v4.9.3 by modifying _msgSender to return the forwarder address when calldata is insufficient [2][3].
Users are advised to upgrade to v4.9.3 or later. No workaround is provided for older versions.
- openzeppelin-contracts/CHANGELOG.md at v4.9.3 · OpenZeppelin/openzeppelin-contracts
- Adjust ERC2771Context._msgData for msg.data.length < 20 by frangio · Pull Request #4484 · OpenZeppelin/openzeppelin-contracts
- Make ERC2771Context return original sender address if `msg.data.length <= 20` by ernestognw · Pull Request #4481 · OpenZeppelin/openzeppelin-contracts
- NVD - CVE-2023-40014
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@openzeppelin/contractsnpm | >= 4.0.0, < 4.9.3 | 4.9.3 |
@openzeppelin/contracts-upgradeablenpm | >= 4.0.0, < 4.9.3 | 4.9.3 |
Affected products
3- ghsa-coords2 versions
>= 4.0.0, < 4.9.3+ 1 more
- (no CPE)range: >= 4.0.0, < 4.9.3
- (no CPE)range: >= 4.0.0, < 4.9.3
- OpenZeppelin/openzeppelin-contractsv5Range: >= 4.0.0, < 4.9.3
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
9- github.com/advisories/GHSA-g4vp-m682-qqmpghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-40014ghsaADVISORY
- github.com/OpenZeppelin/openzeppelin-contracts/blob/v4.9.3/CHANGELOG.mdghsaWEB
- github.com/OpenZeppelin/openzeppelin-contracts/commit/9445f96223041abf2bf08daa56f8da50b674cbcdghsax_refsource_MISCWEB
- github.com/OpenZeppelin/openzeppelin-contracts/commit/e4435eed757d4309436b1e06608e97b6d6e2fdb5ghsax_refsource_MISCWEB
- github.com/OpenZeppelin/openzeppelin-contracts/pull/4481ghsax_refsource_MISCWEB
- github.com/OpenZeppelin/openzeppelin-contracts/pull/4484ghsax_refsource_MISCWEB
- github.com/OpenZeppelin/openzeppelin-contracts/releases/tag/v4.9.3ghsax_refsource_MISCWEB
- github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-g4vp-m682-qqmpghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.