Openzeppelin Contracts Upgradable
Approved changes feed: RSS · Atom
cpe:2.3:a:openzeppelin:openzeppelin_contracts-upgradable:*:*:*:*:*:node.js:*:*
part: a version: * update: *
| Vendor | Openzeppelin (e0e03368-afa5-5522-8058-af42a8cb296b) |
|---|---|
| Product | Openzeppelin Contracts Upgradable (e8a1d82b-4c8f-5034-b907-43c516a488c6) |
| Edition | * |
| Language | * |
| Software edition | * |
| Target software | node.js |
| Target hardware | * |
| Other | * |
| Notes | Imported from purl2cpe mapping |
PURL mappings
| PURL | Source | Last updated |
|---|---|---|
pkg:github/openzeppelin/openzeppelin-contracts-upgradeable |
purl2cpe | 2026-06-01 10:15:44.601768 |
Vulnerability references
| Identifier | cpeApplicability | Submitted | db.gcve.eu details | Rationale |
|---|---|---|---|---|
CVE:CVE-2023-40014 |
vulnerable | 2026-06-08 06:09:41.027583 |
OpenZeppelin Contracts's ERC2771Context with custom forwarder may lead to zero-valued _msgSender
MEDIUM (5.3)
OpenZeppelin Contracts is a library for secure smart contract development. Starting in version 4.0.0 and prior to version 4.9.3, contracts using `ERC2771Context` along with a custom trusted forwarder may see `_msgSender` return `address(0)` in calls that originate from the forwarder with calldata shorter than 20 bytes. This combination of circumstances does not appear to be common, in particular it is not the case for `MinimalForwarder` from OpenZeppelin Contracts, or any deployed forwarder the team is aware of, given that the signer address is appended to all calls that originate from these forwarders. The problem has been patched in v4.9.3.
Published: 2023-08-10T19:52:55.699Z
Updated: 2024-10-03T14:58:56.494Z Reference links
|
Imported from gcve-enriched-dumps CVE data |
Contribute
You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.