@openzeppelin/contracts
npm19 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting @openzeppelin/contractspage 1 of 1
- CVE-2021-39167CRITICALCVSS 10.0EG 10.0✓ Fixed in 3.4.22021-08-27
OpenZepplin is a library for smart contract development. In affected versions a vulnerability in TimelockController allowed an actor with the executor role to escalate privileges. Further details about the vulnerability will be disclosed a…
- CVE-2021-41264CRITICALCVSS 9.8EG 9.8✓ Fixed in 4.3.22021-11-12
OpenZeppelin Contracts is a library for smart contract development. In affected versions upgradeable contracts using `UUPSUpgradeable` may be vulnerable to an attack affecting uninitialized implementation contracts. A fix is included in ve…
- CVE-2021-46320HIGHCVSS 7.5EG 7.5✓ Fixed in 4.4.12022-02-04
In OpenZeppelin <=v4.4.0, initializer functions that are invoked separate from contract creation (the most prominent example being minimal proxies) may be reentered if they make an untrusted non-view external call. Once an initializer has …
- CVE-2022-31170HIGHCVSS 7.5EG 7.5✓ Fixed in 4.7.12022-07-22
OpenZeppelin Contracts is a library for smart contract development. Versions 4.0.0 until 4.7.1 are vulnerable to ERC165Checker reverting instead of returning `false`. `ERC165Checker.supportsInterface` is designed to always successfully ret…
- CVE-2022-31172HIGHCVSS 7.5EG 7.5✓ Fixed in 4.7.12022-07-22
OpenZeppelin Contracts is a library for smart contract development. Versions 4.1.0 until 4.7.1 are vulnerable to the SignatureChecker reverting. `SignatureChecker.isValidSignatureNow` is not expected to revert. However, an incorrect assump…
- CVE-2022-31198HIGHCVSS 7.5EG 7.5✓ Fixed in 4.7.22022-08-01
OpenZeppelin Contracts is a library for secure smart contract development. This issue concerns instances of Governor that use the module `GovernorVotesQuorumFraction`, a mechanism that determines quorum requirements as a percentage of the …
- CVE-2022-35915MEDIUMCVSS 5.3EG 5.3✓ Fixed in 4.7.22022-08-01
OpenZeppelin Contracts is a library for secure smart contract development. The target contract of an EIP-165 `supportsInterface` query can cause unbounded gas consumption by returning a lot of data, while it is generally assumed that this …
- CVE-2022-35916MEDIUMCVSS 5.3EG 5.3✓ Fixed in 4.7.22022-08-01
OpenZeppelin Contracts is a library for secure smart contract development. Contracts using the cross chain utilities for Arbitrum L2, `CrossChainEnabledArbitrumL2` or `LibArbitrumL2`, will classify direct interactions of externally owned a…
- CVE-2022-35961HIGHCVSS 7.9EG 7.9✓ Fixed in 4.7.32022-08-15
OpenZeppelin Contracts is a library for secure smart contract development. The functions `ECDSA.recover` and `ECDSA.tryRecover` are vulnerable to a kind of signature malleability due to accepting EIP-2098 compact signatures in addition to …
- CVE-2022-39384MEDIUMCVSS 5.6EG 5.6✓ Fixed in 4.4.12022-11-04
OpenZeppelin Contracts is a library for secure smart contract development. Before version 4.4.1 but after 3.2.0, initializer functions that are invoked separate from contract creation (the most prominent example being minimal proxies) may …
- CVE-2023-26488MEDIUMCVSS 6.5EG 6.5✓ Fixed in 4.8.22023-03-03
OpenZeppelin Contracts is a library for secure smart contract development. The ERC721Consecutive contract designed for minting NFTs in batches does not update balances when a batch has size 1 and consists of a single token. Subsequent tran…
- CVE-2023-30541MEDIUMCVSS 5.3EG 5.3✓ Fixed in 4.8.32023-04-17
OpenZeppelin Contracts is a library for secure smart contract development. A function in the implementation contract may be inaccessible if its selector clashes with one of the proxy's own selectors. Specifically, if the clashing function …
- CVE-2023-30542MEDIUMCVSS 6.8EG 6.8✓ Fixed in 4.8.32023-04-16
OpenZeppelin Contracts is a library for secure smart contract development. The proposal creation entrypoint (`propose`) in `GovernorCompatibilityBravo` allows the creation of proposals with a `signatures` array shorter than the `calldatas`…
- CVE-2023-34234MEDIUMCVSS 5.3EG 5.3✓ Fixed in 4.9.12023-06-07
OpenZeppelin Contracts is a library for smart contract development. By frontrunning the creation of a proposal, an attacker can become the proposer and gain the ability to cancel it. The attacker can do this repeatedly to try to prevent a…
- CVE-2023-34459MEDIUMCVSS 5.3EG 5.3✓ Fixed in 4.9.22023-06-16
OpenZeppelin Contracts is a library for smart contract development. Starting in version 4.7.0 and prior to version 4.9.2, when the `verifyMultiProof`, `verifyMultiProofCalldata`, `procesprocessMultiProof`, or `processMultiProofCalldat` fun…
- CVE-2023-40014MEDIUMCVSS 5.3EG 5.3✓ Fixed in 4.9.32023-08-10
OpenZeppelin Contracts is a library for secure smart contract development. Starting in version 4.0.0 and prior to version 4.9.3, contracts using `ERC2771Context` along with a custom trusted forwarder may see `_msgSender` return `address(0)…
- CVE-2023-49798MEDIUMCVSS 5.9EG 5.9✓ Fixed in 4.9.52023-12-09
vulnerable: 4.9.4
OpenZeppelin Contracts is a library for smart contract development. A merge issue when porting the 5.0.1 patch to the 4.9 branch caused a line duplication. In the version of `Multicall.sol` released in `@openzeppelin/contracts@4.9.4` and `…
- CVE-2024-27094MEDIUMCVSS 6.5EG 6.5✓ Fixed in 5.0.22024-03-21
OpenZeppelin Contracts is a library for secure smart contract development. The `Base64.encode` function encodes a `bytes` input by iterating over it in chunks of 3 bytes. When this input is not a multiple of 3, the last iteration may read …
- CVE-2025-54070MEDIUMCVSS 6.9EG 0.0✓ Fixed in 5.4.02025-07-17
OpenZeppelin Contracts is a library for secure smart contract development. Starting in version 5.2.0 and prior to version 5.4.0, the `lastIndexOf(bytes,byte,uint256)` function of the `Bytes.sol` library may access uninitialized memory when…
Check whether @openzeppelin/contracts is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for @openzeppelin/contracts CVEs against the assets you own.
Start Free Scan →