CVE-2022-31172

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2022-31172

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-31172.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2022-31172

Aliases

GHSA-4g63-c64m-25w9

Related

GHSA-4g63-c64m-25w9

Published

2022-07-22T04:15:14Z

Modified

2025-07-29T10:33:12.935214Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator

Summary

[none]

Details

OpenZeppelin Contracts is a library for smart contract development. Versions 4.1.0 until 4.7.1 are vulnerable to the SignatureChecker reverting. SignatureChecker.isValidSignatureNow is not expected to revert. However, an incorrect assumption about Solidity 0.8's abi.decode allows some cases to revert, given a target contract that doesn't implement EIP-1271 as expected. The contracts that may be affected are those that use SignatureChecker to check the validity of a signature and handle invalid signatures in a way other than reverting. The issue was patched in version 4.7.1.

References

Affected packages

Git / github.com/openzeppelin/openzeppelin-contracts

Affected ranges

Type: GIT
Repo: https://github.com/openzeppelin/openzeppelin-contracts
Events: Introduced

23869e5b2a7c6b9c3e27dee4289615b8cf50e36b

Fixed

3b8b4ba82c880c31cd3b96dd5e15741d7e26658e

Affected versions

v4.*

v4.1.0

v4.2.0

v4.2.0-rc.0

v4.3.0

v4.3.0-rc.0

v4.3.1

v4.3.2

v4.4.0

v4.4.0-rc.0

v4.4.0-rc.1

v4.4.1

v4.7.0

v4.7.0-rc.0