CVE-2022-31172

Improper Input Validation in npm/@openzeppelin/contracts

Identifiers

CVE-2022-31172, GHSA-4g63-c64m-25w9

Package Slug

npm/@openzeppelin/contracts

Vulnerability

Improper Input Validation

Description

OpenZeppelin Contracts is a library for smart contract development. Versions 4.1.0 until 4.7.1 is vulnerable to the SignatureChecker reverting. SignatureChecker.isValidSignatureNow is not expected to revert. However, an incorrect assumption about Solidity 0.8's abi.decode allows some cases to revert, given a target contract that does not implement EIP-1271 as expected. The contracts that may be affected are those that use SignatureChecker to check the validity of a signature and handle invalid signatures in a way other than reverting. The issue was patched in version 4.7.1.

Affected Versions

All versions starting from 4.1.0 before 4.7.1

Solution

Upgrade to version 4.7.1 or above.

Last Modified

2022-07-26

source