Improper Encoding or Escaping of Output
CVE-2023-40014
Summary
OpenZeppelin Contracts is a library for secure smart contract development. OpenZeppelin Contracts is using `ERC2771Context` along with a custom trusted forwarder may see `_msgSender` return `address(0)` in calls that originate from the forwarder with calldata shorter than `20` bytes. This combination of circumstances does not appear to be common, in particular it is not the case for `MinimalForwarder` from OpenZeppelin Contracts, or any deployed forwarder the team is aware of, given that the signer address is appended to all calls that originate from these forwarders. This vulnerability affects "@openzeppelin/contracts-upgradeable" and "@openzeppelin/contracts" packages versions 4.0.0-beta.0 through 4.9.2.
- LOW
- NETWORK
- LOW
- UNCHANGED
- NONE
- NONE
- NONE
- NONE
CWE-116 - Improper Encoding or Escaping of Output
The software prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.
Advisory Timeline
- Published