CVE-2023-40014
OpenZeppelin Contracts vulnerable to Improper Escaping of Output
Description
### Impact OpenZeppelin Contracts is a library for secure smart contract development. Starting in version 4.0.0 and prior to version 4.9.3, contracts using `ERC2771Context` along with a custom trusted forwarder may see `_msgSender` return `address(0)` in calls that originate from the forwarder with calldata shorter than 20 bytes. This combination of circumstances does not appear to be common, in particular it is not the case for `MinimalForwarder` from OpenZeppelin Contracts, or any deployed forwarder the team is aware of, given that the signer address is appended to all calls that originate from these forwarders. ### Patches The problem has been patched in v4.9.3.
How to fix CVE-2023-40014
To remediate CVE-2023-40014, upgrade the affected package to a fixed version below.
- —upgrade to 4.9.3 or later
- —upgrade to 4.9.3 or later
Is CVE-2023-40014 being exploited?
Low — EPSS is 0.7%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- >= 4.0.0, < 4.9.3
- >= 4.0.0, < 4.9.3
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |