Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

OpenZeppelin — Vulnerabilities & Security Advisories 22

Browse all 22 CVE security advisories affecting OpenZeppelin. AI-powered Chinese analysis, POCs, and references for each vulnerability.

OpenZeppelin is a prominent provider of open-source libraries and development tools primarily designed for building secure smart contracts on Ethereum and other blockchain platforms. Its core utility lies in offering audited, standardized implementations of common cryptographic primitives and token standards, which significantly reduces the complexity for developers creating decentralized applications. Historically, vulnerabilities associated with the ecosystem have frequently involved logic errors, access control flaws, and improper handling of external calls rather than traditional web vulnerabilities like XSS. While the libraries themselves are generally robust, incidents often stem from incorrect implementation by downstream projects or misconfiguration of upgradeable proxy patterns. The presence of 22 recorded CVEs highlights the critical importance of rigorous code review and dependency management, as even minor flaws in foundational components can lead to severe financial losses or unauthorized access in deployed systems.

Top products by OpenZeppelin: openzeppelin-contracts cairo-contracts openzeppelin-contracts-upgradeable
CVE IDTitleCVSSSeverityPublished
CVE-2025-54070 OpenZeppelin Contracts's Bytes's lastIndexOf function with position argument performs out-of-bound memory access on empty buffers — openzeppelin-contractsCWE-125 5.3AIMediumAI2025-07-17
CVE-2024-45304 OwnableTwoStep allows a pending owner to accept ownership after the original owner has renounced ownership in cairo-contracts — cairo-contractsCWE-670 5.3 Medium2024-08-30
CVE-2024-27094 OpenZeppelin Contracts base64 encoding may read from potentially dirty memory — openzeppelin-contractsCWE-125 6.5 Medium2024-02-29
CVE-2023-49798 Duplicated execution of subcalls in OpenZeppelin Contracts — openzeppelin-contractsCWE-670 5.9 Medium2023-12-08
CVE-2023-40014 OpenZeppelin Contracts's ERC2771Context with custom forwarder may lead to zero-valued _msgSender — openzeppelin-contractsCWE-116 5.3 Medium2023-08-10
CVE-2023-34459 OpenZeppelin Contracts's MerkleProof multiproofs may allow proving arbitrary leaves for specific trees — openzeppelin-contractsCWE-354 5.3 Medium2023-06-16
CVE-2023-34234 Governor proposal creation may be blocked by frontrunning in OpenZeppelin — openzeppelin-contractsCWE-862 5.3 Medium2023-06-07
CVE-2023-30541 TransparentUpgradeableProxy clashing selector calls may not be delegated in @openzeppelin/contracts — openzeppelin-contractsCWE-436 5.3 Medium2023-04-17
CVE-2023-30542 GovernorCompatibilityBravo may trim proposal calldata — openzeppelin-contractsCWE-20 6.8 Medium2023-04-16
CVE-2023-26488 OpenZeppelin Contracts contains Incorrect Calculation — openzeppelin-contractsCWE-682 6.5 Medium2023-03-03
CVE-2023-23940 OpenZeppelin Contracts for Cairo is vulnerable to signature validation bypass — cairo-contractsCWE-347 6.4 Medium2023-02-03
CVE-2022-39384 OpenZeppelin Contracts initializer reentrancy may lead to double initialization — openzeppelin-contractsCWE-665 5.6 Medium2022-11-04
CVE-2022-35961 ECDSA signature malleability in OpenZeppelin Contracts — openzeppelin-contractsCWE-354 7.9 High2022-08-14
CVE-2022-35915 Unbounded gas consumption in @openzeppelin/contracts — openzeppelin-contractsCWE-400 5.3 Medium2022-08-01
CVE-2022-35916 Cross chain utilities for Arbitrum L2 see EOA calls as cross chain calls — openzeppelin-contractsCWE-669 5.3 Medium2022-08-01
CVE-2022-31198 GovernorVotesQuorumFraction updates to quorum may affect past defeated proposals in @openzeppelin/contracts — openzeppelin-contractsCWE-682 7.5 High2022-08-01
CVE-2022-31170 OpenZeppelin Contracts's ERC165Checker may revert instead of returning false — openzeppelin-contractsCWE-20 7.5 High2022-07-21
CVE-2022-31172 OpenZeppelin Contracts's SignatureChecker may revert on invalid EIP-1271 signers — openzeppelin-contractsCWE-20 7.5 High2022-07-21
CVE-2022-31153 OpenZeppelin Contracts for Cairo account cannot process transactions on Goerli — cairo-contractsCWE-664 6.5 Medium2022-07-15
CVE-2021-41264 UUPSUpgradeable vulnerability in OpenZeppelin Contracts — openzeppelin-contractsCWE-665 9.8 Critical2021-11-12
CVE-2021-39167 TimelockController vulnerability in OpenZeppelin Contracts — openzeppelin-contractsCWE-269 10.0 Critical2021-08-26
CVE-2021-39168 TimelockController vulnerability in OpenZeppelin Contracts — openzeppelin-contracts-upgradeableCWE-269 10.0 Critical2021-08-26

This page lists every published CVE security advisory associated with OpenZeppelin. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.