@openzeppelin/contracts 4.8.3 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the @openzeppelin/contracts package. This does not include vulnerabilities belonging to this package’s dependencies.

How to fix?

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability	Vulnerable Version
M Out-of-bounds Read @openzeppelin/contracts is a library for contract development. Affected versions of this package are vulnerable to Out-of-bounds Read due to the `Base64.encode` function. An attacker can corrupt the output by manipulating the extra bits that are kept between the encoding and padding when the input is not a multiple of 3, leading to parts of the memory beyond the input buffer being read. Note: These conditions are more frequent in the following scenarios: A bytes memory struct is allocated just after the input and the first bytes of it are non-zero. The memory pointer is set to a non-empty memory location before allocating the input. How to fix Out-of-bounds Read? Upgrade `@openzeppelin/contracts` to version 4.9.6, 5.0.2 or higher.	>=4.5.0 <4.9.6>=5.0.0-rc.0 <5.0.2
M Improper Encoding or Escaping of Output @openzeppelin/contracts is a library for contract development. Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output. Contracts using `ERC2771Context` along with a custom trusted forwarder may see `_msgSender` return `address(0)` in calls that originate from the forwarder with `calldata` shorter than 20 bytes. Note: This can lead to unintended consequences or incorrect behavior in smart contracts that rely on the accurate identification of the sender. How to fix Improper Encoding or Escaping of Output? Upgrade `@openzeppelin/contracts` to version 4.9.3 or higher.	>=4.0.0 <4.9.3
M Improper Input Validation @openzeppelin/contracts is a library for contract development. Affected versions of this package are vulnerable to Improper Input Validation when the `verifyMultiProof`, `verifyMultiProofCalldata`, `procesprocessMultiProof`, or `processMultiProofCalldat` functions are in use, it is possible to construct merkle trees that allow forging a valid multiproof for an arbitrary set of leaves. A contract may be vulnerable if it uses multiproofs for verification and the merkle tree that is processed includes a node with value 0 at depth 1 (just under the root). This could happen inadvertedly for balanced trees with 3 leaves or less, if the leaves are not hashed. This could happen deliberately if a malicious tree builder includes such a node in the tree. A contract is not vulnerable if it uses single-leaf proving (`verify`, `verifyCalldata`, `processProof`, or `processProofCalldata`), or if it uses multiproofs with a known tree that has hashed leaves. Standard merkle trees produced or validated with the `@openzeppelin/merkle-tree` library are safe. How to fix Improper Input Validation? Upgrade `@openzeppelin/contracts` to version 4.9.2 or higher.	>=4.7.0 <4.9.2
L Missing Authorization @openzeppelin/contracts is a library for contract development. Affected versions of this package are vulnerable to Missing Authorization. By frontrunning the creation of a proposal, an attacker can become the proposer and gain the ability to cancel it. The attacker can do this repeatedly to try to prevent a proposal from being proposed at all. Note: In order for this attack to succeed, an attacker would need to have prior knowledge of a proposal creation. Impact: This issue impacts the `Governor` contract in v4.9.0 only, and the `GovernorCompatibilityBravo` contract since v4.3.0. How to fix Missing Authorization? Upgrade `@openzeppelin/contracts` to version 4.9.1 or higher.	>=4.3.0 <4.9.1

Vulnerability

Vulnerable Version

Out-of-bounds Read

@openzeppelin/contracts is a library for contract development.

Affected versions of this package are vulnerable to Out-of-bounds Read due to the Base64.encode function. An attacker can corrupt the output by manipulating the extra bits that are kept between the encoding and padding when the input is not a multiple of 3, leading to parts of the memory beyond the input buffer being read.

Note: These conditions are more frequent in the following scenarios:

A bytes memory struct is allocated just after the input and the first bytes of it are non-zero.
The memory pointer is set to a non-empty memory location before allocating the input.

How to fix Out-of-bounds Read?

Upgrade @openzeppelin/contracts to version 4.9.6, 5.0.2 or higher.

>=4.5.0 <4.9.6>=5.0.0-rc.0 <5.0.2

Improper Encoding or Escaping of Output

@openzeppelin/contracts is a library for contract development.

Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output. Contracts using ERC2771Context along with a custom trusted forwarder may see _msgSender return address(0) in calls that originate from the forwarder with calldata shorter than 20 bytes.

Note:

This can lead to unintended consequences or incorrect behavior in smart contracts that rely on the accurate identification of the sender.

How to fix Improper Encoding or Escaping of Output?

Upgrade @openzeppelin/contracts to version 4.9.3 or higher.

>=4.0.0 <4.9.3

Improper Input Validation

@openzeppelin/contracts is a library for contract development.

Affected versions of this package are vulnerable to Improper Input Validation when the verifyMultiProof, verifyMultiProofCalldata, procesprocessMultiProof, or processMultiProofCalldat functions are in use, it is possible to construct merkle trees that allow forging a valid multiproof for an arbitrary set of leaves. A contract may be vulnerable if it uses multiproofs for verification and the merkle tree that is processed includes a node with value 0 at depth 1 (just under the root). This could happen inadvertedly for balanced trees with 3 leaves or less, if the leaves are not hashed. This could happen deliberately if a malicious tree builder includes such a node in the tree. A contract is not vulnerable if it uses single-leaf proving (verify, verifyCalldata, processProof, or processProofCalldata), or if it uses multiproofs with a known tree that has hashed leaves. Standard merkle trees produced or validated with the @openzeppelin/merkle-tree library are safe.

How to fix Improper Input Validation?

Upgrade @openzeppelin/contracts to version 4.9.2 or higher.

>=4.7.0 <4.9.2

Missing Authorization

@openzeppelin/contracts is a library for contract development.

Affected versions of this package are vulnerable to Missing Authorization. By frontrunning the creation of a proposal, an attacker can become the proposer and gain the ability to cancel it. The attacker can do this repeatedly to try to prevent a proposal from being proposed at all.

Note: In order for this attack to succeed, an attacker would need to have prior knowledge of a proposal creation.

Impact:

This issue impacts the Governor contract in v4.9.0 only, and the GovernorCompatibilityBravo contract since v4.3.0.

How to fix Missing Authorization?

Upgrade @openzeppelin/contracts to version 4.9.1 or higher.

>=4.3.0 <4.9.1

@openzeppelin/contracts@4.8.3 vulnerabilities

Secure Smart Contract library for Solidity

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

How to fix?