Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

GSA_kwCzR0hTQS05cmN3LWMyZjktMmo1Nc4ABKP_

Moderate CVSS: 6.9 EPSS: 0.00055% (0.17389 Percentile) EPSS:
Permalink JSON

OpenZeppelin Contracts Bytes's lastIndexOf function with position argument performs out-of-bound memory access on empty buffers

Affected Packages Affected Versions Fixed Versions
npm:@openzeppelin/contracts-upgradeable >= 5.2.0, < 5.4.0 5.4.0
853 Dependent packages
4,919 Dependent repositories
884,118 Downloads last month

Affected Version Ranges

All affected versions

5.2.0, 5.3.0

All unaffected versions

3.2.0, 3.3.0, 3.4.0, 3.4.1, 3.4.2, 4.0.0, 4.1.0, 4.2.0, 4.3.0, 4.3.1, 4.3.2, 4.3.3, 4.4.0, 4.4.1, 4.4.2, 4.5.0, 4.5.1, 4.5.2, 4.6.0, 4.7.0, 4.7.1, 4.7.2, 4.7.3, 4.8.0, 4.8.1, 4.8.2, 4.8.3, 4.9.0, 4.9.1, 4.9.2, 4.9.3, 4.9.4, 4.9.5, 4.9.6, 5.0.0, 5.0.1, 5.0.2, 5.1.0, 5.4.0
npm:@openzeppelin/contracts >= 5.2.0, < 5.4.0 5.4.0
3,207 Dependent packages
34,743 Dependent repositories
3,948,839 Downloads last month

Affected Version Ranges

All affected versions

5.2.0, 5.3.0

All unaffected versions

2.3.0, 2.4.0, 2.5.0, 2.5.1, 3.0.0, 3.0.1, 3.0.2, 3.1.0, 3.2.0, 3.3.0, 3.4.0, 3.4.1, 3.4.2, 4.0.0, 4.1.0, 4.2.0, 4.3.0, 4.3.1, 4.3.2, 4.3.3, 4.4.0, 4.4.1, 4.4.2, 4.5.0, 4.6.0, 4.7.0, 4.7.1, 4.7.2, 4.7.3, 4.8.0, 4.8.1, 4.8.2, 4.8.3, 4.9.0, 4.9.1, 4.9.2, 4.9.3, 4.9.4, 4.9.5, 4.9.6, 5.0.0, 5.0.1, 5.0.2, 5.1.0

Impact

The lastIndexOf(bytes,byte,uint256) function of the Bytes.sol library may access uninitialized memory when the following two conditions hold: 1) the provided buffer length is empty (i.e. buffer.length == 0) and position is not 2**256 - 1 (i.e. pos != type(uint256).max).

The pos argument could be used to access arbitrary data outside of the buffer bounds. This could lead to the operation running out of gas, or returning an invalid index (outside of the empty buffer). Processing this invalid result for accessing the buffer would cause a revert under normal conditions.

When triggered, the function reads memory at offset buffer + 0x20 + pos. If memory at that location (outside the buffer) matches the search pattern, the function would return an out of bound index instead of the expected type(uint256).max. This creates unexpected behavior where callers receive a valid-looking index pointing outside buffer bounds.

Subsequent memory accesses that don't check bounds and use the returned index must carefully review the potential impact depending on their setup. Code relying on this function returning type(uint256).max for empty buffers or using the returned index without bounds checking could exhibit undefined behavior.

Patches

Upgrade to 5.4.0

References:

Identifiers

GHSA-9rcw-c2f9-2j55

CVE-2025-54070

Risk

Severity

Moderate

CVSS

CVSS Score: 6.9

CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

EPSS

EPSS Percentage: 0.00055

EPSS Percentile: 0.17389

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/OpenZeppelin/openzeppelin-contracts

Date and time

Published

13 days ago

Updated

13 days ago

API

JSON