@openzeppelin/contracts-upgradeable 3.4.2 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the @openzeppelin/contracts-upgradeable package. This does not include vulnerabilities belonging to this package’s dependencies.

How to fix?

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability	Vulnerable Version
L Denial of Service (DoS) @openzeppelin/contracts-upgradeable is a Secure Smart Contract library for Solidity. Affected versions of this package are vulnerable to Denial of Service (DoS) such that a function in the implementation contract may be inaccessible if its selector clashes with one of the proxy's own selectors. Specifically, if the clashing function has a different signature with incompatible ABI encoding, the proxy could revert while attempting to decode the arguments from calldata. How to fix Denial of Service (DoS)? Upgrade `@openzeppelin/contracts-upgradeable` to version 4.8.3 or higher.	>=3.2.0 <4.8.3
H Improper Verification of Cryptographic Signature @openzeppelin/contracts-upgradeable is a Secure Smart Contract library for Solidity. Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature via `ECDSA.recover` and `ECDSA.tryRecover` due to accepting EIP-2098 compact signatures in addition to the traditional 65 byte signature format. How to fix Improper Verification of Cryptographic Signature? Upgrade `@openzeppelin/contracts-upgradeable` to version 4.7.3 or higher.	<4.7.3
M Denial of Service (DoS) @openzeppelin/contracts-upgradeable is a Secure Smart Contract library for Solidity. Affected versions of this package are vulnerable to Denial of Service (DoS) in the `supportsERC165InterfaceUnchecked()` function in `ERC165Checker.sol` and `ERC165CheckerUpgradeable.sol`, which can consume excessive resources when processing a large amount of data via an EIP-165 `supportsInterface` query. How to fix Denial of Service (DoS)? Upgrade `@openzeppelin/contracts-upgradeable` to version 4.7.2 or higher.	>=3.2.0 <4.7.2
H Deserialization of Untrusted Data @openzeppelin/contracts-upgradeable is a Secure Smart Contract library for Solidity. Affected versions of this package are vulnerable to Deserialization of Untrusted Data. It is possible for `initializer()` protected functions to be executed twice, if this happens in the same transaction. For this to happen, either one call has to be a subcall to the other, or both calls have to be subcalls of a common `initializer()` protected function. This can be particularly dangerous if the initialization is not part of the proxy construction, and reentrancy is possible by executing an external call to an untrusted address. NOTE: This vulnerability has also been identified as: CVE-2022-39384 How to fix Deserialization of Untrusted Data? Upgrade `@openzeppelin/contracts-upgradeable` to version 4.4.1 or higher.	>=3.2.0 <4.4.1
H Deserialization of Untrusted Data @openzeppelin/contracts-upgradeable is a Secure Smart Contract library for Solidity. Affected versions of this package are vulnerable to Deserialization of Untrusted Data. It is possible for `initializer()` protected functions to be executed twice, if this happens in the same transaction. For this to happen, either one call has to be a subcall to the other, or both calls have to be subcalls of a common `initializer()` protected function. This can be particularly dangerous if the initialization is not part of the proxy construction, and reentrancy is possible by executing an external call to an untrusted address. NOTE: This vulnerability has also been identified as: CVE-2021-46320 How to fix Deserialization of Untrusted Data? Upgrade `@openzeppelin/contracts-upgradeable` to version 4.4.1 or higher.	>=3.2.0 <4.4.1

Vulnerability

Vulnerable Version

Denial of Service (DoS)

@openzeppelin/contracts-upgradeable is a Secure Smart Contract library for Solidity.

Affected versions of this package are vulnerable to Denial of Service (DoS) such that a function in the implementation contract may be inaccessible if its selector clashes with one of the proxy's own selectors. Specifically, if the clashing function has a different signature with incompatible ABI encoding, the proxy could revert while attempting to decode the arguments from calldata.

How to fix Denial of Service (DoS)?

Upgrade @openzeppelin/contracts-upgradeable to version 4.8.3 or higher.

>=3.2.0 <4.8.3

Improper Verification of Cryptographic Signature

@openzeppelin/contracts-upgradeable is a Secure Smart Contract library for Solidity.

Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature via ECDSA.recover and ECDSA.tryRecover due to accepting EIP-2098 compact signatures in addition to the traditional 65 byte signature format.

How to fix Improper Verification of Cryptographic Signature?

Upgrade @openzeppelin/contracts-upgradeable to version 4.7.3 or higher.

<4.7.3

Denial of Service (DoS)

@openzeppelin/contracts-upgradeable is a Secure Smart Contract library for Solidity.

Affected versions of this package are vulnerable to Denial of Service (DoS) in the supportsERC165InterfaceUnchecked() function in ERC165Checker.sol and ERC165CheckerUpgradeable.sol, which can consume excessive resources when processing a large amount of data via an EIP-165 supportsInterface query.

How to fix Denial of Service (DoS)?

Upgrade @openzeppelin/contracts-upgradeable to version 4.7.2 or higher.

>=3.2.0 <4.7.2

Deserialization of Untrusted Data

@openzeppelin/contracts-upgradeable is a Secure Smart Contract library for Solidity.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data. It is possible for initializer() protected functions to be executed twice, if this happens in the same transaction. For this to happen, either one call has to be a subcall to the other, or both calls have to be subcalls of a common initializer() protected function. This can be particularly dangerous if the initialization is not part of the proxy construction, and reentrancy is possible by executing an external call to an untrusted address.

NOTE: This vulnerability has also been identified as: CVE-2022-39384

How to fix Deserialization of Untrusted Data?

Upgrade @openzeppelin/contracts-upgradeable to version 4.4.1 or higher.

>=3.2.0 <4.4.1

Deserialization of Untrusted Data

@openzeppelin/contracts-upgradeable is a Secure Smart Contract library for Solidity.

NOTE: This vulnerability has also been identified as: CVE-2021-46320

How to fix Deserialization of Untrusted Data?

Upgrade @openzeppelin/contracts-upgradeable to version 4.4.1 or higher.

>=3.2.0 <4.4.1

@openzeppelin/contracts-upgradeable@3.4.2 vulnerabilities

Secure Smart Contract library for Solidity

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

How to fix?