fkie_cve-2025-54070
Vulnerability from fkie_nvd
Published
2025-07-17 19:15
Modified
2025-07-17 21:15
Summary
OpenZeppelin Contracts is a library for secure smart contract development. Starting in version 5.2.0 and prior to version 5.4.0, the `lastIndexOf(bytes,byte,uint256)` function of the `Bytes.sol` library may access uninitialized memory when the following two conditions hold: 1) the provided buffer length is empty (i.e. `buffer.length == 0`) and position is not `2**256 - 1` (i.e. `pos != type(uint256).max`). The `pos` argument could be used to access arbitrary data outside of the buffer bounds. This could lead to the operation running out of gas, or returning an invalid index (outside of the empty buffer). Processing this invalid result for accessing the `buffer` would cause a revert under normal conditions. When triggered, the function reads memory at offset `buffer + 0x20 + pos`. If memory at that location (outside the `buffer`) matches the search pattern, the function would return an out of bound index instead of the expected `type(uint256).max`. This creates unexpected behavior where callers receive a valid-looking index pointing outside buffer bounds. Subsequent memory accesses that don't check bounds and use the returned index must carefully review the potential impact depending on their setup. Code relying on this function returning `type(uint256).max` for empty buffers or using the returned index without bounds checking could exhibit undefined behavior. Users should upgrade to version 5.4.0 to receive a patch.
Impacted products
Vendor Product Version



{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "OpenZeppelin Contracts is a library for secure smart contract development. Starting in version 5.2.0 and prior to version 5.4.0, the `lastIndexOf(bytes,byte,uint256)` function of the `Bytes.sol` library may access uninitialized memory when the following two conditions hold: 1) the provided buffer length is empty (i.e. `buffer.length == 0`) and position is not `2**256 - 1` (i.e. `pos != type(uint256).max`). The `pos` argument could be used to access arbitrary data outside of the buffer bounds. This could lead to the operation running out of gas, or returning an invalid index (outside of the empty buffer). Processing this invalid result for accessing the `buffer` would cause a revert under normal conditions. When triggered, the function reads memory at offset `buffer + 0x20 + pos`. If memory at that location (outside the\u00a0`buffer`) matches the search pattern, the function would return an out of bound index instead of the expected `type(uint256).max`. This creates unexpected behavior where callers receive a valid-looking index pointing outside buffer bounds. Subsequent memory accesses that don\u0027t check bounds and use the returned index must carefully review the potential impact depending on their setup. Code relying on this function returning `type(uint256).max` for empty buffers or using the returned index without bounds checking could exhibit undefined behavior. Users should upgrade to version 5.4.0 to receive a patch."
    },
    {
      "lang": "es",
      "value": "OpenZeppelin Contracts es una librer\u00eda para el desarrollo seguro de contratos inteligentes. A partir de la versi\u00f3n 5.2.0 y anteriores a la 5.4.0, la funci\u00f3n `lastIndexOf(bytes,byte,uint256)` de la librer\u00eda `Bytes.sol` puede acceder a memoria no inicializada cuando se cumplen las dos condiciones siguientes: 1) la longitud del b\u00fafer proporcionado est\u00e1 vac\u00eda (es decir, `buffer.length == 0`) y la posici\u00f3n no es `2**256 - 1` (es decir, `pos != type(uint256).max`). El argumento `pos` podr\u00eda usarse para acceder a datos arbitrarios fuera de los l\u00edmites del b\u00fafer. Esto podr\u00eda provocar que la operaci\u00f3n se quede sin gas o que devuelva un \u00edndice no v\u00e1lido (fuera del b\u00fafer vac\u00edo). Procesar este resultado no v\u00e1lido para acceder al `buffer` provocar\u00eda una reversi\u00f3n en condiciones normales. Cuando se activa, la funci\u00f3n lee la memoria en el desplazamiento `buffer + 0x20 + pos`. Si la memoria en esa ubicaci\u00f3n (fuera del b\u00fafer) coincide con el patr\u00f3n de b\u00fasqueda, la funci\u00f3n devolver\u00eda un \u00edndice fuera de los l\u00edmites en lugar del `type(uint256).max` esperado. Esto genera un comportamiento inesperado: quienes llaman reciben un \u00edndice aparentemente v\u00e1lido que apunta fuera de los l\u00edmites del b\u00fafer. Los accesos posteriores a memoria que no verifiquen los l\u00edmites y utilicen el \u00edndice devuelto deben revisar cuidadosamente el posible impacto seg\u00fan su configuraci\u00f3n. El c\u00f3digo que dependa de que esta funci\u00f3n devuelva `type(uint256).max` para b\u00faferes vac\u00edos o que utilice el \u00edndice devuelto sin verificar los l\u00edmites podr\u00eda presentar un comportamiento indefinido. Los usuarios deben actualizar a la versi\u00f3n 5.4.0 para recibir una actualizaci\u00f3n."
    }
  ],
  "id": "CVE-2025-54070",
  "lastModified": "2025-07-17T21:15:50.197",
  "metrics": {
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 6.9,
          "baseSeverity": "MEDIUM",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "NONE",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "LOW",
          "vulnConfidentialityImpact": "NONE",
          "vulnIntegrityImpact": "LOW",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-07-17T19:15:25.623",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/OpenZeppelin/openzeppelin-contracts/releases/tag/v5.4.0"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-9rcw-c2f9-2j55"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-125"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.


Loading…

Loading…