@openzeppelin/contracts@4.2.0 vulnerabilities

Secure Smart Contract library for Solidity

Direct Vulnerabilities

Known vulnerabilities in the @openzeppelin/contracts package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
Improper Encoding or Escaping of Output

@openzeppelin/contracts is a library for contract development.

Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output. Contracts using ERC2771Context along with a custom trusted forwarder may see _msgSender return address(0) in calls that originate from the forwarder with calldata shorter than 20 bytes.

Note:

This can lead to unintended consequences or incorrect behavior in smart contracts that rely on the accurate identification of the sender.

How to fix Improper Encoding or Escaping of Output?

Upgrade @openzeppelin/contracts to version 4.9.3 or higher.

>=4.0.0 <4.9.3
  • L
Denial of Service (DoS)

@openzeppelin/contracts is a library for contract development.

Affected versions of this package are vulnerable to Denial of Service (DoS) such that a function in the implementation contract may be inaccessible if its selector clashes with one of the proxy's own selectors. Specifically, if the clashing function has a different signature with incompatible ABI encoding, the proxy could revert while attempting to decode the arguments from calldata.

How to fix Denial of Service (DoS)?

Upgrade @openzeppelin/contracts to version 4.8.3 or higher.

>=3.2.0 <4.8.3
  • H
Improper Verification of Cryptographic Signature

@openzeppelin/contracts is a library for contract development.

Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature via ECDSA.recover and ECDSA.tryRecover due to accepting EIP-2098 compact signatures in addition to the traditional 65 byte signature format.

How to fix Improper Verification of Cryptographic Signature?

Upgrade @openzeppelin/contracts to version 4.7.3 or higher.

<4.7.3
  • M
Denial of Service (DoS)

@openzeppelin/contracts is a library for contract development.

Affected versions of this package are vulnerable to Denial of Service (DoS) in the supportsERC165InterfaceUnchecked() function in ERC165Checker.sol and ERC165CheckerUpgradeable.sol, which can consume excessive resources when processing a large amount of data via an EIP-165 supportsInterface query.

How to fix Denial of Service (DoS)?

Upgrade @openzeppelin/contracts to version 4.7.2 or higher.

>=2.3.0 <4.7.2
  • H
Information Exposure

@openzeppelin/contracts is a library for contract development.

Affected versions of this package are vulnerable to Information Exposure. SignatureChecker.isValidSignatureNow is not expected to revert. However, an incorrect assumption about Solidity 0.8's abi.decode allows some cases to revert, given a target contract that doesn't implement EIP-1271 as expected.

The contracts that may be affected are those that use SignatureChecker to check the validity of a signature and handle invalid signatures in a way other than reverting. We believe this to be unlikely.

How to fix Information Exposure?

Upgrade @openzeppelin/contracts to version 4.7.1 or higher.

>=4.1.0 <4.7.1
  • H
Information Exposure

@openzeppelin/contracts is a library for contract development.

Affected versions of this package are vulnerable to Information Exposure. ERC165Checker.supportsInterface is designed to always successfully return a boolean, and under no circumstance revert. However, an incorrect assumption about Solidity 0.8's abi.decode allows some cases to revert, given a target contract that doesn't implement EIP-165 as expected, specifically if it returns a value other than 0 or 1.

The contracts that may be affected are those that use ERC165Checker to check for support for an interface and then handle the lack of support in a way other than reverting.

How to fix Information Exposure?

Upgrade @openzeppelin/contracts to version 4.7.1 or higher.

>=4.0.0 <4.7.1
  • H
Deserialization of Untrusted Data

@openzeppelin/contracts is a library for contract development.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data. It is possible for initializer() protected functions to be executed twice, if this happens in the same transaction. For this to happen, either one call has to be a subcall to the other, or both calls have to be subcalls of a common initializer() protected function. This can be particularly dangerous if the initialization is not part of the proxy construction, and reentrancy is possible by executing an external call to an untrusted address.

NOTE: This vulnerability has also been identified as: CVE-2022-39384

How to fix Deserialization of Untrusted Data?

Upgrade @openzeppelin/contracts to version 4.4.1 or higher.

>=3.2.0 <4.4.1
  • H
Deserialization of Untrusted Data

@openzeppelin/contracts is a library for contract development.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data. It is possible for initializer() protected functions to be executed twice, if this happens in the same transaction. For this to happen, either one call has to be a subcall to the other, or both calls have to be subcalls of a common initializer() protected function. This can be particularly dangerous if the initialization is not part of the proxy construction, and reentrancy is possible by executing an external call to an untrusted address.

NOTE: This vulnerability has also been identified as: CVE-2021-46320

How to fix Deserialization of Untrusted Data?

Upgrade @openzeppelin/contracts to version 4.4.1 or higher.

>=3.2.0 <4.4.1
  • M
Numeric Errors

@openzeppelin/contracts is a library for contract development.

Affected versions of this package are vulnerable to Numeric Errors. When ERC1155 tokens are minted, a callback is invoked on the receiver of those tokens, as required by the spec. When including the ERC1155Supply extension, the total supply is not updated until after the callback, thus during the callback the reported total supply is lower than the real number of tokens in circulation.

How to fix Numeric Errors?

Upgrade @openzeppelin/contracts to version 4.3.3 or higher.

>=4.2.0 <4.3.3
  • C
Improper Initialization

@openzeppelin/contracts is a library for contract development.

Affected versions of this package are vulnerable to Improper Initialization via uninitialized implementation contracts using UUPSUpgradeable.

How to fix Improper Initialization?

Upgrade @openzeppelin/contracts to version 4.3.2 or higher.

>=4.1.0 <4.3.2
  • H
Improper Input Validation

@openzeppelin/contracts is a library for contract development.

Affected versions of this package are vulnerable to Improper Input Validation. Upgradeable contracts using UUPSUpgradeable may be vulnerable to an attack affecting uninitialized implementation contracts.

Due to this vulnerability, it is recommended that all projects using the UUPS proxy pattern should initialize their implementation contracts, even after upgrading to the fixed version. An example of how to do this is here.

How to fix Improper Input Validation?

Upgrade @openzeppelin/contracts to version 4.3.2 or higher.

>=4.1.0 <4.3.2
  • C
Privilege Escalation

@openzeppelin/contracts is a library for contract development.

Affected versions of this package are vulnerable to Privilege Escalation. A vulnerability in TimelockController allowed an actor with the executor role to escalate privileges.

As a workaround, revoke the executor role from accounts not strictly under the team's control. It is recommended to revoke all executors that are not also proposers. When applying this mitigation, ensure there is at least one proposer and executor remaining.

How to fix Privilege Escalation?

Upgrade @openzeppelin/contracts to version 4.3.1, 3.4.2 or higher.

>=4.0.0-beta.0 <4.3.1 <3.4.2