Skip to main content

Improper Encoding or Escaping of Output

CVE-2023-40014

Severity Medium
Score 5.3/10

Summary

OpenZeppelin Contracts is a library for secure smart contract development. OpenZeppelin Contracts is using `ERC2771Context` along with a custom trusted forwarder may see `_msgSender` return `address(0)` in calls that originate from the forwarder with calldata shorter than `20` bytes. This combination of circumstances does not appear to be common, in particular it is not the case for `MinimalForwarder` from OpenZeppelin Contracts, or any deployed forwarder the team is aware of, given that the signer address is appended to all calls that originate from these forwarders. This vulnerability affects "@openzeppelin/contracts-upgradeable" and "@openzeppelin/contracts" packages versions 4.0.0-beta.0 through 4.9.2.

  • LOW
  • NETWORK
  • LOW
  • UNCHANGED
  • NONE
  • NONE
  • NONE
  • NONE

CWE-116 - Improper Encoding or Escaping of Output

The software prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.

Advisory Timeline

  • Published