GHSA-9rcw-c2f9-2j55
Suggest an improvement- Source
- https://github.com/advisories/GHSA-9rcw-c2f9-2j55
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/07/GHSA-9rcw-c2f9-2j55/GHSA-9rcw-c2f9-2j55.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-9rcw-c2f9-2j55
- Aliases
- Published
- 2025-07-17T21:19:32Z
- Modified
- 2025-07-17T22:06:46Z
- Severity
-
- 0.0 (None) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:N CVSS Calculator
- 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- OpenZeppelin Contracts Bytes's lastIndexOf function with position argument performs out-of-bound memory access on empty buffers
- Details
-
Impact
The
lastIndexOf(bytes,byte,uint256)function of theBytes.sollibrary may access uninitialized memory when the following two conditions hold: 1) the provided buffer length is empty (i.e.buffer.length == 0) and position is not2**256 - 1(i.e.pos != type(uint256).max).The
posargument could be used to access arbitrary data outside of the buffer bounds. This could lead to the operation running out of gas, or returning an invalid index (outside of the empty buffer). Processing this invalid result for accessing thebufferwould cause a revert under normal conditions.When triggered, the function reads memory at offset
buffer + 0x20 + pos. If memory at that location (outside thebuffer) matches the search pattern, the function would return an out of bound index instead of the expectedtype(uint256).max. This creates unexpected behavior where callers receive a valid-looking index pointing outside buffer bounds.Subsequent memory accesses that don't check bounds and use the returned index must carefully review the potential impact depending on their setup. Code relying on this function returning
type(uint256).maxfor empty buffers or using the returned index without bounds checking could exhibit undefined behavior.Patches
Upgrade to 5.4.0
- Database specific
{ "github_reviewed": true, "severity": "MODERATE", "github_reviewed_at": "2025-07-17T21:19:32Z", "cwe_ids": [ "CWE-125" ], "nvd_published_at": "2025-07-17T19:15:25Z" }- References
-
- https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-9rcw-c2f9-2j55
- https://nvd.nist.gov/vuln/detail/CVE-2025-54070
- https://github.com/OpenZeppelin/openzeppelin-contracts/pull/5797
- https://github.com/OpenZeppelin/openzeppelin-contracts
- https://github.com/OpenZeppelin/openzeppelin-contracts/releases/tag/v5.4.0
Affected packages
npm / @openzeppelin/contracts
Package
- Name
- @openzeppelin/contracts
- View open source insights on deps.dev
- Purl
- pkg:npm/%40openzeppelin/contracts
npm / @openzeppelin/contracts-upgradeable
Package
- Name
- @openzeppelin/contracts-upgradeable
- View open source insights on deps.dev
- Purl
- pkg:npm/%40openzeppelin/contracts-upgradeable