VYPR
Moderate severityNVD Advisory· Published Feb 29, 2024· Updated Aug 2, 2024

OpenZeppelin Contracts base64 encoding may read from potentially dirty memory

CVE-2024-27094

Description

OpenZeppelin Contracts is a library for secure smart contract development. The Base64.encode function encodes a bytes input by iterating over it in chunks of 3 bytes. When this input is not a multiple of 3, the last iteration may read parts of the memory that are beyond the input buffer. The vulnerability is fixed in 5.0.2 and 4.9.6.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
@openzeppelin/contractsnpm
>= 4.5.0, < 4.9.64.9.6
@openzeppelin/contracts-upgradeablenpm
>= 5.0.0-rc.0, < 5.0.25.0.2
@openzeppelin/contractsnpm
>= 5.0.0-rc.0, < 5.0.25.0.2
@openzeppelin/contracts-upgradeablenpm
>= 4.5.0, < 4.9.64.9.6

Affected products

3

Patches

Vulnerability mechanics

References

7

News mentions

0

No linked articles in our index yet.