@openzeppelin/contracts 4.6.0-rc.0 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the @openzeppelin/contracts package. This does not include vulnerabilities belonging to this package’s dependencies.

How to fix?

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability	Vulnerable Version
M Out-of-bounds Read @openzeppelin/contracts is a library for contract development. Affected versions of this package are vulnerable to Out-of-bounds Read due to the `Base64.encode` function. An attacker can corrupt the output by manipulating the extra bits that are kept between the encoding and padding when the input is not a multiple of 3, leading to parts of the memory beyond the input buffer being read. Note: These conditions are more frequent in the following scenarios: A bytes memory struct is allocated just after the input and the first bytes of it are non-zero. The memory pointer is set to a non-empty memory location before allocating the input. How to fix Out-of-bounds Read? Upgrade `@openzeppelin/contracts` to version 4.9.6, 5.0.2 or higher.	>=4.5.0 <4.9.6>=5.0.0-rc.0 <5.0.2
M Improper Encoding or Escaping of Output @openzeppelin/contracts is a library for contract development. Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output. Contracts using `ERC2771Context` along with a custom trusted forwarder may see `_msgSender` return `address(0)` in calls that originate from the forwarder with `calldata` shorter than 20 bytes. Note: This can lead to unintended consequences or incorrect behavior in smart contracts that rely on the accurate identification of the sender. How to fix Improper Encoding or Escaping of Output? Upgrade `@openzeppelin/contracts` to version 4.9.3 or higher.	>=4.0.0 <4.9.3
L Missing Authorization @openzeppelin/contracts is a library for contract development. Affected versions of this package are vulnerable to Missing Authorization. By frontrunning the creation of a proposal, an attacker can become the proposer and gain the ability to cancel it. The attacker can do this repeatedly to try to prevent a proposal from being proposed at all. Note: In order for this attack to succeed, an attacker would need to have prior knowledge of a proposal creation. Impact: This issue impacts the `Governor` contract in v4.9.0 only, and the `GovernorCompatibilityBravo` contract since v4.3.0. How to fix Missing Authorization? Upgrade `@openzeppelin/contracts` to version 4.9.1 or higher.	>=4.3.0 <4.9.1
L Denial of Service (DoS) @openzeppelin/contracts is a library for contract development. Affected versions of this package are vulnerable to Denial of Service (DoS) such that a function in the implementation contract may be inaccessible if its selector clashes with one of the proxy's own selectors. Specifically, if the clashing function has a different signature with incompatible ABI encoding, the proxy could revert while attempting to decode the arguments from calldata. How to fix Denial of Service (DoS)? Upgrade `@openzeppelin/contracts` to version 4.8.3 or higher.	>=3.2.0 <4.8.3
M Improper Input Validation @openzeppelin/contracts is a library for contract development. Affected versions of this package are vulnerable to Improper Input Validation due to missing signatures length validation of the proposal creation entry point (`propose`) in `GovernorCompatibilityBravo`, which allows the creation of proposals with a `signatures` array shorter than the `calldatas` array. This causes the additional elements of the latter to be ignored, and if the proposal succeeds, the corresponding actions would eventually execute without any `calldata`. The `ProposalCreated` event correctly represents what will eventually execute, but the proposal parameters as queried through `getActions` appear to respect the originally intended `calldata`. How to fix Improper Input Validation? Upgrade `@openzeppelin/contracts` to version 4.8.3 or higher.	>=4.3.0 <4.8.3
H Improper Verification of Cryptographic Signature @openzeppelin/contracts is a library for contract development. Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature via `ECDSA.recover` and `ECDSA.tryRecover` due to accepting EIP-2098 compact signatures in addition to the traditional 65 byte signature format. How to fix Improper Verification of Cryptographic Signature? Upgrade `@openzeppelin/contracts` to version 4.7.3 or higher.	<4.7.3
M Denial of Service (DoS) @openzeppelin/contracts is a library for contract development. Affected versions of this package are vulnerable to Denial of Service (DoS) in the `supportsERC165InterfaceUnchecked()` function in `ERC165Checker.sol` and `ERC165CheckerUpgradeable.sol`, which can consume excessive resources when processing a large amount of data via an EIP-165 `supportsInterface` query. How to fix Denial of Service (DoS)? Upgrade `@openzeppelin/contracts` to version 4.7.2 or higher.	>=2.3.0 <4.7.2
H Incorrect Calculation @openzeppelin/contracts is a library for contract development. Affected versions of this package are vulnerable to Incorrect Calculation via the `GovernorVotesQuorumFraction` module. This vulnerability is exploitable by passing a proposal to lower the quorum requirements, leading to past proposals possibly becoming executable if they had been defeated only due to lack of quorum, and the number of votes it received meets the new quorum requirement. How to fix Incorrect Calculation? Upgrade `@openzeppelin/contracts` to version 4.7.2 or higher.	>=4.3.0 <4.7.2
H Information Exposure @openzeppelin/contracts is a library for contract development. Affected versions of this package are vulnerable to Information Exposure. `SignatureChecker.isValidSignatureNow` is not expected to revert. However, an incorrect assumption about Solidity 0.8's `abi.decode` allows some cases to revert, given a target contract that doesn't implement EIP-1271 as expected. The contracts that may be affected are those that use `SignatureChecker` to check the validity of a signature and handle invalid signatures in a way other than reverting. We believe this to be unlikely. How to fix Information Exposure? Upgrade `@openzeppelin/contracts` to version 4.7.1 or higher.	>=4.1.0 <4.7.1
H Information Exposure @openzeppelin/contracts is a library for contract development. Affected versions of this package are vulnerable to Information Exposure. `ERC165Checker.supportsInterface` is designed to always successfully return a boolean, and under no circumstance revert. However, an incorrect assumption about Solidity 0.8's `abi.decode` allows some cases to revert, given a target contract that doesn't implement EIP-165 as expected, specifically if it returns a value other than 0 or 1. The contracts that may be affected are those that use `ERC165Checker` to check for support for an interface and then handle the lack of support in a way other than reverting. How to fix Information Exposure? Upgrade `@openzeppelin/contracts` to version 4.7.1 or higher.	>=4.0.0 <4.7.1

Vulnerability

Vulnerable Version

Out-of-bounds Read

@openzeppelin/contracts is a library for contract development.

Affected versions of this package are vulnerable to Out-of-bounds Read due to the Base64.encode function. An attacker can corrupt the output by manipulating the extra bits that are kept between the encoding and padding when the input is not a multiple of 3, leading to parts of the memory beyond the input buffer being read.

Note: These conditions are more frequent in the following scenarios:

A bytes memory struct is allocated just after the input and the first bytes of it are non-zero.
The memory pointer is set to a non-empty memory location before allocating the input.

How to fix Out-of-bounds Read?

Upgrade @openzeppelin/contracts to version 4.9.6, 5.0.2 or higher.

>=4.5.0 <4.9.6>=5.0.0-rc.0 <5.0.2

Improper Encoding or Escaping of Output

@openzeppelin/contracts is a library for contract development.

Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output. Contracts using ERC2771Context along with a custom trusted forwarder may see _msgSender return address(0) in calls that originate from the forwarder with calldata shorter than 20 bytes.

Note:

This can lead to unintended consequences or incorrect behavior in smart contracts that rely on the accurate identification of the sender.

How to fix Improper Encoding or Escaping of Output?

Upgrade @openzeppelin/contracts to version 4.9.3 or higher.

>=4.0.0 <4.9.3

Missing Authorization

@openzeppelin/contracts is a library for contract development.

Affected versions of this package are vulnerable to Missing Authorization. By frontrunning the creation of a proposal, an attacker can become the proposer and gain the ability to cancel it. The attacker can do this repeatedly to try to prevent a proposal from being proposed at all.

Note: In order for this attack to succeed, an attacker would need to have prior knowledge of a proposal creation.

Impact:

This issue impacts the Governor contract in v4.9.0 only, and the GovernorCompatibilityBravo contract since v4.3.0.

How to fix Missing Authorization?

Upgrade @openzeppelin/contracts to version 4.9.1 or higher.

>=4.3.0 <4.9.1

Denial of Service (DoS)

@openzeppelin/contracts is a library for contract development.

Affected versions of this package are vulnerable to Denial of Service (DoS) such that a function in the implementation contract may be inaccessible if its selector clashes with one of the proxy's own selectors. Specifically, if the clashing function has a different signature with incompatible ABI encoding, the proxy could revert while attempting to decode the arguments from calldata.

How to fix Denial of Service (DoS)?

Upgrade @openzeppelin/contracts to version 4.8.3 or higher.

>=3.2.0 <4.8.3

Improper Input Validation

@openzeppelin/contracts is a library for contract development.

Affected versions of this package are vulnerable to Improper Input Validation due to missing signatures length validation of the proposal creation entry point (propose) in GovernorCompatibilityBravo, which allows the creation of proposals with a signatures array shorter than the calldatas array. This causes the additional elements of the latter to be ignored, and if the proposal succeeds, the corresponding actions would eventually execute without any calldata. The ProposalCreated event correctly represents what will eventually execute, but the proposal parameters as queried through getActions appear to respect the originally intended calldata.

How to fix Improper Input Validation?

Upgrade @openzeppelin/contracts to version 4.8.3 or higher.

>=4.3.0 <4.8.3

Improper Verification of Cryptographic Signature

@openzeppelin/contracts is a library for contract development.

Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature via ECDSA.recover and ECDSA.tryRecover due to accepting EIP-2098 compact signatures in addition to the traditional 65 byte signature format.

How to fix Improper Verification of Cryptographic Signature?

Upgrade @openzeppelin/contracts to version 4.7.3 or higher.

<4.7.3

Denial of Service (DoS)

@openzeppelin/contracts is a library for contract development.

Affected versions of this package are vulnerable to Denial of Service (DoS) in the supportsERC165InterfaceUnchecked() function in ERC165Checker.sol and ERC165CheckerUpgradeable.sol, which can consume excessive resources when processing a large amount of data via an EIP-165 supportsInterface query.

How to fix Denial of Service (DoS)?

Upgrade @openzeppelin/contracts to version 4.7.2 or higher.

>=2.3.0 <4.7.2

Incorrect Calculation

@openzeppelin/contracts is a library for contract development.

Affected versions of this package are vulnerable to Incorrect Calculation via the GovernorVotesQuorumFraction module. This vulnerability is exploitable by passing a proposal to lower the quorum requirements, leading to past proposals possibly becoming executable if they had been defeated only due to lack of quorum, and the number of votes it received meets the new quorum requirement.

How to fix Incorrect Calculation?

Upgrade @openzeppelin/contracts to version 4.7.2 or higher.

>=4.3.0 <4.7.2

Information Exposure

@openzeppelin/contracts is a library for contract development.

Affected versions of this package are vulnerable to Information Exposure. SignatureChecker.isValidSignatureNow is not expected to revert. However, an incorrect assumption about Solidity 0.8's abi.decode allows some cases to revert, given a target contract that doesn't implement EIP-1271 as expected.

The contracts that may be affected are those that use SignatureChecker to check the validity of a signature and handle invalid signatures in a way other than reverting. We believe this to be unlikely.

How to fix Information Exposure?

Upgrade @openzeppelin/contracts to version 4.7.1 or higher.

>=4.1.0 <4.7.1

Information Exposure

@openzeppelin/contracts is a library for contract development.

Affected versions of this package are vulnerable to Information Exposure. ERC165Checker.supportsInterface is designed to always successfully return a boolean, and under no circumstance revert. However, an incorrect assumption about Solidity 0.8's abi.decode allows some cases to revert, given a target contract that doesn't implement EIP-165 as expected, specifically if it returns a value other than 0 or 1.

The contracts that may be affected are those that use ERC165Checker to check for support for an interface and then handle the lack of support in a way other than reverting.

How to fix Information Exposure?

Upgrade @openzeppelin/contracts to version 4.7.1 or higher.

>=4.0.0 <4.7.1

@openzeppelin/contracts@4.6.0-rc.0 vulnerabilities

Secure Smart Contract library for Solidity

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

How to fix?