CVE-2022-35915
Unbounded gas consumption in @openzeppelin/contracts
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
OpenZeppelin Contracts is a library for secure smart contract development. The target contract of an EIP-165 `supportsInterface` query can cause unbounded gas consumption by returning a lot of data, while it is generally assumed that this operation has a bounded cost. The issue has been fixed in v4.7.2. Users are advised to upgrade. There are no known workarounds for this issue.
OpenZeppelin Contracts es una biblioteca para el desarrollo de contratos inteligentes seguros. El contrato objetivo de una consulta EIP-165 "supportsInterface" puede causar un consumo de gas no limitado al devolver muchos datos, mientras que generalmente es asumida que esta operación presenta un coste limitado. El problema ha sido solucionado en versión 4.7.2. Es recomendado a usuarios actualizar. No se presentan mitigaciones conocidas para este problema
CVSS Scores
SSVC
- Decision:Attend
Timeline
- 2022-07-15 CVE Reserved
- 2022-08-01 CVE Published
- 2025-04-23 CVE Updated
- 2025-05-28 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-400: Uncontrolled Resource Consumption
- CWE-770: Allocation of Resources Without Limits or Throttling
CAPEC
References (2)
URL | Tag | Source |
---|---|---|
https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-7grf-83vw-6f5x | Third Party Advisory |
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://github.com/OpenZeppelin/openzeppelin-contracts/pull/3587 | 2023-07-21 |
URL | Date | SRC |
---|
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Openzeppelin Search vendor "Openzeppelin" | Contracts Search vendor "Openzeppelin" for product "Contracts" | >= 2.0.0 < 4.7.2 Search vendor "Openzeppelin" for product "Contracts" and version " >= 2.0.0 < 4.7.2" | node.js |
Affected
| ||||||
Openzeppelin Search vendor "Openzeppelin" | Contracts Upgradeable Search vendor "Openzeppelin" for product "Contracts Upgradeable" | >= 3.2.0 < 4.7.2 Search vendor "Openzeppelin" for product "Contracts Upgradeable" and version " >= 3.2.0 < 4.7.2" | node.js |
Affected
| ||||||
Openzeppelin Search vendor "Openzeppelin" | Openzeppelin-eth Search vendor "Openzeppelin" for product "Openzeppelin-eth" | >= 2.0.0 Search vendor "Openzeppelin" for product "Openzeppelin-eth" and version " >= 2.0.0" | node.js |
Affected
| ||||||
Openzeppelin Search vendor "Openzeppelin" | Openzeppelin-solidity Search vendor "Openzeppelin" for product "Openzeppelin-solidity" | >= 2.0.0 Search vendor "Openzeppelin" for product "Openzeppelin-solidity" and version " >= 2.0.0" | node.js |
Affected
|