npm package
@openzeppelin/contracts-upgradeable
pkg:npm/%40openzeppelin/contracts-upgradeable
Vulnerabilities (18)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-54070 | Med | — | >= 5.2.0, < 5.4.0 | 5.4.0 | Jul 17, 2025 | OpenZeppelin Contracts is a library for secure smart contract development. Starting in version 5.2.0 and prior to version 5.4.0, the `lastIndexOf(bytes,byte,uint256)` function of the `Bytes.sol` library may access uninitialized memory when the following two conditions hold: 1) th | |
| CVE-2024-27094 | — | >= 5.0.0-rc.0, < 5.0.2 | 5.0.2 | Feb 29, 2024 | OpenZeppelin Contracts is a library for secure smart contract development. The `Base64.encode` function encodes a `bytes` input by iterating over it in chunks of 3 bytes. When this input is not a multiple of 3, the last iteration may read parts of the memory that are beyond the i | ||
| CVE-2023-49798 | — | >= 4.9.4, < 4.9.5 | 4.9.5 | Dec 8, 2023 | OpenZeppelin Contracts is a library for smart contract development. A merge issue when porting the 5.0.1 patch to the 4.9 branch caused a line duplication. In the version of `Multicall.sol` released in `@openzeppelin/contracts@4.9.4` and `@openzeppelin/contracts-upgradeable@4.9.4 | ||
| CVE-2023-40014 | — | >= 4.0.0, < 4.9.3 | 4.9.3 | Aug 10, 2023 | OpenZeppelin Contracts is a library for secure smart contract development. Starting in version 4.0.0 and prior to version 4.9.3, contracts using `ERC2771Context` along with a custom trusted forwarder may see `_msgSender` return `address(0)` in calls that originate from the forwar | ||
| CVE-2023-34459 | — | >= 4.7.0, < 4.9.2 | 4.9.2 | Jun 16, 2023 | OpenZeppelin Contracts is a library for smart contract development. Starting in version 4.7.0 and prior to version 4.9.2, when the `verifyMultiProof`, `verifyMultiProofCalldata`, `procesprocessMultiProof`, or `processMultiProofCalldat` functions are in use, it is possible to cons | ||
| CVE-2023-34234 | — | >= 4.3.0, < 4.9.1 | 4.9.1 | Jun 7, 2023 | OpenZeppelin Contracts is a library for smart contract development. By frontrunning the creation of a proposal, an attacker can become the proposer and gain the ability to cancel it. The attacker can do this repeatedly to try to prevent a proposal from being proposed at all. Thi | ||
| CVE-2023-30541 | — | >= 3.2.0, < 4.8.3 | 4.8.3 | Apr 17, 2023 | OpenZeppelin Contracts is a library for secure smart contract development. A function in the implementation contract may be inaccessible if its selector clashes with one of the proxy's own selectors. Specifically, if the clashing function has a different signature with incompatib | ||
| CVE-2023-30542 | — | >= 4.3.0, < 4.8.3 | 4.8.3 | Apr 16, 2023 | OpenZeppelin Contracts is a library for secure smart contract development. The proposal creation entrypoint (`propose`) in `GovernorCompatibilityBravo` allows the creation of proposals with a `signatures` array shorter than the `calldatas` array. This causes the additional elemen | ||
| CVE-2023-26488 | — | >= 4.8.0, < 4.8.2 | 4.8.2 | Mar 3, 2023 | OpenZeppelin Contracts is a library for secure smart contract development. The ERC721Consecutive contract designed for minting NFTs in batches does not update balances when a batch has size 1 and consists of a single token. Subsequent transfers from the receiver of that token may | ||
| CVE-2022-39384 | — | >= 3.2.0, < 4.4.1 | 4.4.1 | Nov 4, 2022 | OpenZeppelin Contracts is a library for secure smart contract development. Before version 4.4.1 but after 3.2.0, initializer functions that are invoked separate from contract creation (the most prominent example being minimal proxies) may be reentered if they make an untrusted no | ||
| CVE-2022-35961 | — | >= 4.1.0, < 4.7.3 | 4.7.3 | Aug 14, 2022 | OpenZeppelin Contracts is a library for secure smart contract development. The functions `ECDSA.recover` and `ECDSA.tryRecover` are vulnerable to a kind of signature malleability due to accepting EIP-2098 compact signatures in addition to the traditional 65 byte signature format. | ||
| CVE-2022-35915 | — | >= 3.2.0, < 4.7.2 | 4.7.2 | Aug 1, 2022 | OpenZeppelin Contracts is a library for secure smart contract development. The target contract of an EIP-165 `supportsInterface` query can cause unbounded gas consumption by returning a lot of data, while it is generally assumed that this operation has a bounded cost. The issue h | ||
| CVE-2022-35916 | — | >= 4.6.0, < 4.7.2 | 4.7.2 | Aug 1, 2022 | OpenZeppelin Contracts is a library for secure smart contract development. Contracts using the cross chain utilities for Arbitrum L2, `CrossChainEnabledArbitrumL2` or `LibArbitrumL2`, will classify direct interactions of externally owned accounts (EOAs) as cross chain calls, even | ||
| CVE-2022-31198 | — | >= 4.3.0, < 4.7.2 | 4.7.2 | Aug 1, 2022 | OpenZeppelin Contracts is a library for secure smart contract development. This issue concerns instances of Governor that use the module `GovernorVotesQuorumFraction`, a mechanism that determines quorum requirements as a percentage of the voting token's total supply. In affected | ||
| CVE-2022-31170 | — | >= 4.0.0, < 4.7.1 | 4.7.1 | Jul 21, 2022 | OpenZeppelin Contracts is a library for smart contract development. Versions 4.0.0 until 4.7.1 are vulnerable to ERC165Checker reverting instead of returning `false`. `ERC165Checker.supportsInterface` is designed to always successfully return a boolean, and under no circumstance | ||
| CVE-2022-31172 | — | >= 4.1.0, < 4.7.1 | 4.7.1 | Jul 21, 2022 | OpenZeppelin Contracts is a library for smart contract development. Versions 4.1.0 until 4.7.1 are vulnerable to the SignatureChecker reverting. `SignatureChecker.isValidSignatureNow` is not expected to revert. However, an incorrect assumption about Solidity 0.8's `abi.decode` al | ||
| CVE-2021-41264 | — | >= 4.1.0, < 4.3.2 | 4.3.2 | Nov 12, 2021 | OpenZeppelin Contracts is a library for smart contract development. In affected versions upgradeable contracts using `UUPSUpgradeable` may be vulnerable to an attack affecting uninitialized implementation contracts. A fix is included in version 4.3.2 of `@openzeppelin/contracts` | ||
| CVE-2021-39168 | — | >= 4.0.0, < 4.3.1 | 4.3.1 | Aug 26, 2021 | OpenZepplin is a library for smart contract development. In affected versions a vulnerability in TimelockController allowed an actor with the executor role to escalate privileges. Further details about the vulnerability will be disclosed at a later date. As a workaround revoke th |
- affected >= 5.2.0, < 5.4.0fixed 5.4.0
OpenZeppelin Contracts is a library for secure smart contract development. Starting in version 5.2.0 and prior to version 5.4.0, the `lastIndexOf(bytes,byte,uint256)` function of the `Bytes.sol` library may access uninitialized memory when the following two conditions hold: 1) th
- CVE-2024-27094Feb 29, 2024affected >= 5.0.0-rc.0, < 5.0.2fixed 5.0.2
OpenZeppelin Contracts is a library for secure smart contract development. The `Base64.encode` function encodes a `bytes` input by iterating over it in chunks of 3 bytes. When this input is not a multiple of 3, the last iteration may read parts of the memory that are beyond the i
- CVE-2023-49798Dec 8, 2023affected >= 4.9.4, < 4.9.5fixed 4.9.5
OpenZeppelin Contracts is a library for smart contract development. A merge issue when porting the 5.0.1 patch to the 4.9 branch caused a line duplication. In the version of `Multicall.sol` released in `@openzeppelin/contracts@4.9.4` and `@openzeppelin/contracts-upgradeable@4.9.4
- CVE-2023-40014Aug 10, 2023affected >= 4.0.0, < 4.9.3fixed 4.9.3
OpenZeppelin Contracts is a library for secure smart contract development. Starting in version 4.0.0 and prior to version 4.9.3, contracts using `ERC2771Context` along with a custom trusted forwarder may see `_msgSender` return `address(0)` in calls that originate from the forwar
- CVE-2023-34459Jun 16, 2023affected >= 4.7.0, < 4.9.2fixed 4.9.2
OpenZeppelin Contracts is a library for smart contract development. Starting in version 4.7.0 and prior to version 4.9.2, when the `verifyMultiProof`, `verifyMultiProofCalldata`, `procesprocessMultiProof`, or `processMultiProofCalldat` functions are in use, it is possible to cons
- CVE-2023-34234Jun 7, 2023affected >= 4.3.0, < 4.9.1fixed 4.9.1
OpenZeppelin Contracts is a library for smart contract development. By frontrunning the creation of a proposal, an attacker can become the proposer and gain the ability to cancel it. The attacker can do this repeatedly to try to prevent a proposal from being proposed at all. Thi
- CVE-2023-30541Apr 17, 2023affected >= 3.2.0, < 4.8.3fixed 4.8.3
OpenZeppelin Contracts is a library for secure smart contract development. A function in the implementation contract may be inaccessible if its selector clashes with one of the proxy's own selectors. Specifically, if the clashing function has a different signature with incompatib
- CVE-2023-30542Apr 16, 2023affected >= 4.3.0, < 4.8.3fixed 4.8.3
OpenZeppelin Contracts is a library for secure smart contract development. The proposal creation entrypoint (`propose`) in `GovernorCompatibilityBravo` allows the creation of proposals with a `signatures` array shorter than the `calldatas` array. This causes the additional elemen
- CVE-2023-26488Mar 3, 2023affected >= 4.8.0, < 4.8.2fixed 4.8.2
OpenZeppelin Contracts is a library for secure smart contract development. The ERC721Consecutive contract designed for minting NFTs in batches does not update balances when a batch has size 1 and consists of a single token. Subsequent transfers from the receiver of that token may
- CVE-2022-39384Nov 4, 2022affected >= 3.2.0, < 4.4.1fixed 4.4.1
OpenZeppelin Contracts is a library for secure smart contract development. Before version 4.4.1 but after 3.2.0, initializer functions that are invoked separate from contract creation (the most prominent example being minimal proxies) may be reentered if they make an untrusted no
- CVE-2022-35961Aug 14, 2022affected >= 4.1.0, < 4.7.3fixed 4.7.3
OpenZeppelin Contracts is a library for secure smart contract development. The functions `ECDSA.recover` and `ECDSA.tryRecover` are vulnerable to a kind of signature malleability due to accepting EIP-2098 compact signatures in addition to the traditional 65 byte signature format.
- CVE-2022-35915Aug 1, 2022affected >= 3.2.0, < 4.7.2fixed 4.7.2
OpenZeppelin Contracts is a library for secure smart contract development. The target contract of an EIP-165 `supportsInterface` query can cause unbounded gas consumption by returning a lot of data, while it is generally assumed that this operation has a bounded cost. The issue h
- CVE-2022-35916Aug 1, 2022affected >= 4.6.0, < 4.7.2fixed 4.7.2
OpenZeppelin Contracts is a library for secure smart contract development. Contracts using the cross chain utilities for Arbitrum L2, `CrossChainEnabledArbitrumL2` or `LibArbitrumL2`, will classify direct interactions of externally owned accounts (EOAs) as cross chain calls, even
- CVE-2022-31198Aug 1, 2022affected >= 4.3.0, < 4.7.2fixed 4.7.2
OpenZeppelin Contracts is a library for secure smart contract development. This issue concerns instances of Governor that use the module `GovernorVotesQuorumFraction`, a mechanism that determines quorum requirements as a percentage of the voting token's total supply. In affected
- CVE-2022-31170Jul 21, 2022affected >= 4.0.0, < 4.7.1fixed 4.7.1
OpenZeppelin Contracts is a library for smart contract development. Versions 4.0.0 until 4.7.1 are vulnerable to ERC165Checker reverting instead of returning `false`. `ERC165Checker.supportsInterface` is designed to always successfully return a boolean, and under no circumstance
- CVE-2022-31172Jul 21, 2022affected >= 4.1.0, < 4.7.1fixed 4.7.1
OpenZeppelin Contracts is a library for smart contract development. Versions 4.1.0 until 4.7.1 are vulnerable to the SignatureChecker reverting. `SignatureChecker.isValidSignatureNow` is not expected to revert. However, an incorrect assumption about Solidity 0.8's `abi.decode` al
- CVE-2021-41264Nov 12, 2021affected >= 4.1.0, < 4.3.2fixed 4.3.2
OpenZeppelin Contracts is a library for smart contract development. In affected versions upgradeable contracts using `UUPSUpgradeable` may be vulnerable to an attack affecting uninitialized implementation contracts. A fix is included in version 4.3.2 of `@openzeppelin/contracts`
- CVE-2021-39168Aug 26, 2021affected >= 4.0.0, < 4.3.1fixed 4.3.1
OpenZepplin is a library for smart contract development. In affected versions a vulnerability in TimelockController allowed an actor with the executor role to escalate privileges. Further details about the vulnerability will be disclosed at a later date. As a workaround revoke th