OpenZeppelin Contracts 4.9.4 for Node.js
Approved changes feed: RSS · Atom
cpe:2.3:a:openzeppelin:contracts:4.9.4:*:*:*:*:node.js:*:*
part: a version: 4.9.4 update: *
| Vendor | Openzeppelin (e0e03368-afa5-5522-8058-af42a8cb296b) |
|---|---|
| Product | Contracts (adf340f6-9b56-5cf6-9a4d-258b9794268c) |
| Edition | * |
| Language | * |
| Software edition | * |
| Target software | node.js |
| Target hardware | * |
| Other | * |
| Notes | Imported from NVD CPE 2.0 feed |
PURL mappings
| PURL | Source | Last updated |
|---|---|---|
pkg:github/openzeppelin/openzeppelin-contracts |
purl2cpe | 2026-06-01 10:15:44.569265 |
pkg:npm/%40openzeppelin/contracts |
purl2cpe | 2026-06-01 10:15:44.569267 |
Vulnerability references
| Identifier | cpeApplicability | Submitted | db.gcve.eu details | Rationale |
|---|---|---|---|---|
CVE:CVE-2023-49798 |
vulnerable | 2026-06-08 06:16:10.502138 |
Duplicated execution of subcalls in OpenZeppelin Contracts
MEDIUM (5.9)
OpenZeppelin Contracts is a library for smart contract development. A merge issue when porting the 5.0.1 patch to the 4.9 branch caused a line duplication. In the version of `Multicall.sol` released in `@openzeppelin/contracts@4.9.4` and `@openzeppelin/contracts-upgradeable@4.9.4`, all subcalls are executed twice. Concretely, this exposes a user to unintentionally duplicate operations like asset transfers. The duplicated delegatecall was removed in version 4.9.5. The 4.9.4 version is marked as deprecated. Users are advised to upgrade. There are no known workarounds for this issue.
Published: 2023-12-08T23:35:24.467Z
Updated: 2024-08-02T22:01:26.056Z |
Imported from gcve-enriched-dumps CVE data |
Contribute
You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.