OpenZeppelin — Vulnerabilities & Security Advisories 22

Browse all 22 CVE security advisories affecting OpenZeppelin. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Top 10 Products OpenZeppelin:openzeppelin-contracts cairo-contracts openzeppelin-contracts-upgradeable

CVE ID	Title	CVSS	Severity	Paused
CVE-2025-54070	OpenZeppelin Contracts's Bytes's lastIndexOf function with position argument performs out-of-bound memory access on empty buffers — openzeppelin-contractsCWE-125	5.3^AI	Medium^AI	2025-07-17
CVE-2024-45304	OwnableTwoStep allows a pending owner to accept ownership after the original owner has renounced ownership in cairo-contracts — cairo-contractsCWE-670	5.3	Medium	2024-08-30
CVE-2024-27094	OpenZeppelin Contracts base64 encoding may read from potentially dirty memory — openzeppelin-contractsCWE-125	6.5	Medium	2024-02-29
CVE-2023-49798	Duplicated execution of subcalls in OpenZeppelin Contracts — openzeppelin-contractsCWE-670	5.9	Medium	2023-12-08
CVE-2023-40014	OpenZeppelin Contracts's ERC2771Context with custom forwarder may lead to zero-valued _msgSender — openzeppelin-contractsCWE-116	5.3	Medium	2023-08-10
CVE-2023-34459	OpenZeppelin Contracts's MerkleProof multiproofs may allow proving arbitrary leaves for specific trees — openzeppelin-contractsCWE-354	5.3	Medium	2023-06-16
CVE-2023-34234	Governor proposal creation may be blocked by frontrunning in OpenZeppelin — openzeppelin-contractsCWE-862	5.3	Medium	2023-06-07
CVE-2023-30541	TransparentUpgradeableProxy clashing selector calls may not be delegated in @openzeppelin/contracts — openzeppelin-contractsCWE-436	5.3	Medium	2023-04-17
CVE-2023-30542	GovernorCompatibilityBravo may trim proposal calldata — openzeppelin-contractsCWE-20	6.8	Medium	2023-04-16
CVE-2023-26488	OpenZeppelin Contracts contains Incorrect Calculation — openzeppelin-contractsCWE-682	6.5	Medium	2023-03-03
CVE-2023-23940	OpenZeppelin Contracts for Cairo is vulnerable to signature validation bypass — cairo-contractsCWE-347	6.4	Medium	2023-02-03
CVE-2022-39384	OpenZeppelin Contracts initializer reentrancy may lead to double initialization — openzeppelin-contractsCWE-665	5.6	Medium	2022-11-04
CVE-2022-35961	ECDSA signature malleability in OpenZeppelin Contracts — openzeppelin-contractsCWE-354	7.9	High	2022-08-14
CVE-2022-35915	Unbounded gas consumption in @openzeppelin/contracts — openzeppelin-contractsCWE-400	5.3	Medium	2022-08-01
CVE-2022-35916	Cross chain utilities for Arbitrum L2 see EOA calls as cross chain calls — openzeppelin-contractsCWE-669	5.3	Medium	2022-08-01
CVE-2022-31198	GovernorVotesQuorumFraction updates to quorum may affect past defeated proposals in @openzeppelin/contracts — openzeppelin-contractsCWE-682	7.5	High	2022-08-01
CVE-2022-31170	OpenZeppelin Contracts's ERC165Checker may revert instead of returning false — openzeppelin-contractsCWE-20	7.5	High	2022-07-21
CVE-2022-31172	OpenZeppelin Contracts's SignatureChecker may revert on invalid EIP-1271 signers — openzeppelin-contractsCWE-20	7.5	High	2022-07-21
CVE-2022-31153	OpenZeppelin Contracts for Cairo account cannot process transactions on Goerli — cairo-contractsCWE-664	6.5	Medium	2022-07-15
CVE-2021-41264	UUPSUpgradeable vulnerability in OpenZeppelin Contracts — openzeppelin-contractsCWE-665	9.8	Critical	2021-11-12
CVE-2021-39167	TimelockController vulnerability in OpenZeppelin Contracts — openzeppelin-contractsCWE-269	10.0	Critical	2021-08-26
CVE-2021-39168	TimelockController vulnerability in OpenZeppelin Contracts — openzeppelin-contracts-upgradeableCWE-269	10.0	Critical	2021-08-26

This page lists every published CVE security advisory associated with OpenZeppelin. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.

Support Us — Your donation helps us keep running

OpenZeppelin — Vulnerabilities & Security Advisories 22