OpenZeppelin Contracts base64 encoding may read from potentially dirty memory
Description
OpenZeppelin Contracts is a library for secure smart contract development. The Base64.encode function encodes a bytes input by iterating over it in chunks of 3 bytes. When this input is not a multiple of 3, the last iteration may read parts of the memory that are beyond the input buffer. The vulnerability is fixed in 5.0.2 and 4.9.6.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
OpenZeppelin Contracts Base64.encode reads up to 31 bytes beyond the input buffer when input length is not a multiple of 3, leaking memory.
Vulnerability
Description The Base64.encode function in OpenZeppelin Contracts versions prior to 5.0.2 and 4.9.6 processes input in 3-byte chunks. When the input length is not a multiple of 3, the final iteration can read memory beyond the allocated buffer, as the loop uses an mload on a data pointer that may extend past the end of the bytes array [2][3]. The official advisory confirms that the last iteration may read parts of memory that are outside the input buffer [2].
Exploitation
Prerequisites This is a memory disclosure vulnerability that can be triggered by any caller passing a bytes input with a length not divisible by 3 to the Base64.encode function. No special privileges are required, and the attack surface is wide since Base64 encoding is commonly used in on-chain data handling and off-chain libraries. The bug exists in Solidity's inline assembly, where mload reads a full 32-byte word; when the input ends at an offset that isn't a 32-byte boundary, the subsequent word may contain stale data from prior memory writes [3][4].
Impact
An attacker can exploit this to read unintended memory content that may include sensitive information from other contract storage or calculations, potentially leading to information disclosure. Since smart contract memory is shared within the execution context, this could expose private variables or internal state not meant to be surfaced. The impact is considered high because it violates confidentiality guarantees expected from a library meant for secure contract development [1][2].
Mitigation
The vulnerability is fixed in OpenZeppelin Contracts versions 5.0.2 and 4.9.6 [2]. The fix involves caching the memory word after the input buffer, zeroing it out before the loop, and restoring it after encoding, ensuring no out-of-bounds data is read [3][4]. Developers should upgrade to these patched versions immediately. No workarounds are provided because the flaw is in the core encoding logic.
- GitHub - OpenZeppelin/openzeppelin-contracts: OpenZeppelin Contracts is a library for secure smart contract development.
- NVD - CVE-2024-27094
- Port Base64 tests to truffle (#4926) (#4929) · OpenZeppelin/openzeppelin-contracts@a6286d0
- Merge pull request from GHSA-9vx6-7xxf-x967 · OpenZeppelin/openzeppelin-contracts@9222453
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@openzeppelin/contractsnpm | >= 4.5.0, < 4.9.6 | 4.9.6 |
@openzeppelin/contracts-upgradeablenpm | >= 5.0.0-rc.0, < 5.0.2 | 5.0.2 |
@openzeppelin/contractsnpm | >= 5.0.0-rc.0, < 5.0.2 | 5.0.2 |
@openzeppelin/contracts-upgradeablenpm | >= 4.5.0, < 4.9.6 | 4.9.6 |
Affected products
3- ghsa-coords2 versions
>= 4.5.0, < 4.9.6+ 1 more
- (no CPE)range: >= 4.5.0, < 4.9.6
- (no CPE)range: >= 5.0.0-rc.0, < 5.0.2
- OpenZeppelin/openzeppelin-contractsv5Range: >= 4.5.0, < 4.9.6
Patches
22d081f24cac1Transpile dc44c9f1
5 files changed · +7 −8
CHANGELOG.md+4 −0 modified@@ -1,6 +1,10 @@ # Changelog +## 4.9.6 (2024-02-29) + +- `Base64`: Fix issue where dirty memory located just after the input buffer is affecting the result. ([#4929](https://github.com/OpenZeppelin/openzeppelin-contracts/pull/4929)) + ## 4.9.5 (2023-12-08) - `Multicall`: Patch duplicated `Address.functionDelegateCall`.
.changeset/warm-geese-dance.md+0 −5 removed@@ -1,5 +0,0 @@ ---- -'openzeppelin-solidity': patch ---- - -`Base64`: Fix issue where dirty memory located just after the input buffer is affecting the result.
contracts/package.json+1 −1 modified@@ -1,7 +1,7 @@ { "name": "@openzeppelin/contracts-upgradeable", "description": "Secure Smart Contract library for Solidity", - "version": "4.9.5", + "version": "4.9.6", "files": [ "**/*.sol", "/build/contracts/*.json",
contracts/utils/Base64Upgradeable.sol+1 −1 modified@@ -1,5 +1,5 @@ // SPDX-License-Identifier: MIT -// OpenZeppelin Contracts (last updated v4.7.0) (utils/Base64.sol) +// OpenZeppelin Contracts (last updated v4.9.6) (utils/Base64.sol) pragma solidity ^0.8.0;
package.json+1 −1 modified@@ -1,7 +1,7 @@ { "name": "openzeppelin-solidity", "description": "Secure Smart Contract library for Solidity", - "version": "4.9.5", + "version": "4.9.6", "files": [ "/contracts/**/*.sol", "/build/contracts/*.json",
723f8cab09cdTranspile dbb6104ce
5 files changed · +8 −9
CHANGELOG.md+4 −0 modified@@ -1,6 +1,10 @@ # Changelog +## 5.0.2 (2024-02-29) + +- `Base64`: Fix issue where dirty memory located just after the input buffer is affecting the result. ([#4926](https://github.com/OpenZeppelin/openzeppelin-contracts/pull/4926)) + ## 5.0.1 (2023-12-07) - `ERC2771Context` and `Context`: Introduce a `_contextPrefixLength()` getter, used to trim extra information appended to `msg.data`.
.changeset/warm-geese-dance.md+0 −5 removed@@ -1,5 +0,0 @@ ---- -'openzeppelin-solidity': patch ---- - -`Base64`: Fix issue where dirty memory located just after the input buffer is affecting the result.
contracts/package.json+2 −2 modified@@ -1,7 +1,7 @@ { "name": "@openzeppelin/contracts-upgradeable", "description": "Secure Smart Contract library for Solidity", - "version": "5.0.1", + "version": "5.0.2", "files": [ "**/*.sol", "/build/contracts/*.json", @@ -30,6 +30,6 @@ }, "homepage": "https://openzeppelin.com/contracts/", "peerDependencies": { - "@openzeppelin/contracts": "5.0.1" + "@openzeppelin/contracts": "5.0.2" } }
lib/openzeppelin-contracts+1 −1 modified@@ -1 +1 @@ -Subproject commit 26b4b6099936fc785309f3da118ec8607b6716ed +Subproject commit dbb6104ce834628e473d2173bbc9d47f81a9eec3
package.json+1 −1 modified@@ -1,7 +1,7 @@ { "name": "openzeppelin-solidity", "description": "Secure Smart Contract library for Solidity", - "version": "5.0.1", + "version": "5.0.2", "private": true, "files": [ "/contracts/**/*.sol",
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-9vx6-7xxf-x967ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-27094ghsaADVISORY
- github.com/OpenZeppelin/openzeppelin-contracts-upgradeable/commit/2d081f24cac1a867f6f73d512f2022e1fa987854ghsax_refsource_MISCWEB
- github.com/OpenZeppelin/openzeppelin-contracts-upgradeable/commit/723f8cab09cdae1aca9ec9cc1cfa040c2d4b06c1ghsax_refsource_MISCWEB
- github.com/OpenZeppelin/openzeppelin-contracts/commit/92224533b1263772b0774eec3134e132a3d7b2a6ghsax_refsource_MISCWEB
- github.com/OpenZeppelin/openzeppelin-contracts/commit/a6286d0fded8771b3a645e5813e51993c490399cghsax_refsource_MISCWEB
- github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-9vx6-7xxf-x967ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.