You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The lastIndexOf(bytes,byte,uint256) function of the Bytes.sol library may access uninitialized memory when the following two conditions hold: 1) the provided buffer length is empty (i.e. buffer.length == 0) and position is not 2**256 - 1 (i.e. pos != type(uint256).max).
The pos argument could be used to access arbitrary data outside of the buffer bounds. This could lead to the operation running out of gas, or returning an invalid index (outside of the empty buffer). Processing this invalid result for accessing the buffer would cause a revert under normal conditions.
When triggered, the function reads memory at offset buffer + 0x20 + pos. If memory at that location (outside the buffer) matches the search pattern, the function would return an out of bound index instead of the expected type(uint256).max. This creates unexpected behavior where callers receive a valid-looking index pointing outside buffer bounds.
Subsequent memory accesses that don't check bounds and use the returned index must carefully review the potential impact depending on their setup. Code relying on this function returning type(uint256).max for empty buffers or using the returned index without bounds checking could exhibit undefined behavior.
Update minimum pragma to 0.8.24 in SignatureChecker, Governor and Governor's extensions. (#5716).
Pragma changes
Reduced pragma requirement of interface files
Changes by category
Account
Account: Added a simple ERC-4337 account implementation with minimal logic to process user operations. (#5657)
AccountERC7579: Extension of Account that implements support for ERC-7579 modules of type executor, validator, and fallback handler. (#5657)
AccountERC7579Hooked: Extension of AccountERC7579 that implements support for ERC-7579 hook modules. (#5657)
EIP7702Utils: Add a library for checking if an address has an EIP-7702 delegation in place. (#5587)
IERC7821, ERC7821: Interface and logic for minimal batch execution. No support for additional opData is included. (#5657)
Governance
GovernorNoncesKeyed: Extension of Governor that adds support for keyed nonces when voting by sig. (#5574)
Tokens
ERC20Bridgeable: Implementation of ERC-7802 that makes an ERC-20 compatible with crosschain bridges. (#5739)
Cryptography
Signers
AbstractSigner, SignerECDSA, SignerP256, and SignerRSA: Add an abstract contract and various implementations for contracts that deal with signature verification. (#5657)
SignerERC7702: Implementation of AbstractSigner for Externally Owned Accounts (EOAs). Useful with ERC-7702. (#5657)
SignerERC7913: Abstract signer that verifies signatures using the ERC-7913 workflow. (#5659)
MultiSignerERC7913: Implementation of AbstractSigner that supports multiple ERC-7913 signers with a threshold-based signature verification system. (#5659)
MultiSignerERC7913Weighted: Extension of MultiSignerERC7913 that supports assigning different weights to each signer, enabling more flexible governance schemes. (#5741)
Verifiers
ERC7913P256Verifier and ERC7913RSAVerifier: Ready to use ERC-7913 verifiers that implement key verification for P256 (secp256r1) and RSA keys. (#5659)
Other
SignatureChecker: Add support for ERC-7913 signatures alongside existing ECDSA and ERC-1271 signature verification. (#5659)
ERC7739: An abstract contract to validate signatures following the rehashing scheme from ERC7739Utils. (#5664)
ERC7739Utils: Add a library that implements a defensive rehashing mechanism to prevent replayability of smart contract signatures based on the ERC-7739. (#5664)
Structures
EnumerableMap: Add support for BytesToBytesMap type. (#5658)
EnumerableMap: Add keys(uint256,uint256) that returns a subset (slice) of the keys in the map. (#5713)
EnumerableSet: Add support for StringSet and BytesSet types. (#5658)
EnumerableSet: Add values(uint256,uint256) that returns a subset (slice) of the values in the set. (#5713)
Utils
Arrays: Add unsafeAccess, unsafeMemoryAccess and unsafeSetLength for bytes[] and string[]. (#5568)
Blockhash: Add a library that provides access to historical block hashes using EIP-2935's history storage, extending the standard 256-block limit to 8191 blocks. (#5642)
Bytes: Fix lastIndexOf(bytes,byte,uint256) with empty buffers and finite position to correctly return type(uint256).max instead of accessing uninitialized memory sections. (#5797)
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about these updates again.
If you want to rebase/retry this PR, check this box
npm warn Unknown env config "store". This will stop working in the next major version of npm.
npm error code ERESOLVE
npm error ERESOLVE could not resolve
npm error
npm error While resolving: @openzeppelin/contracts-upgradeable@5.3.0
npm error Found: @openzeppelin/contracts@5.4.0
npm error node_modules/@openzeppelin/contracts
npm error dev @openzeppelin/contracts@"5.4.0" from the root project
npm error
npm error Could not resolve dependency:
npm error peer @openzeppelin/contracts@"5.3.0" from @openzeppelin/contracts-upgradeable@5.3.0
npm error node_modules/@openzeppelin/contracts-upgradeable
npm error dev @openzeppelin/contracts-upgradeable@"^5.0.0" from the root project
npm error
npm error Conflicting peer dependency: @openzeppelin/contracts@5.3.0
npm error node_modules/@openzeppelin/contracts
npm error peer @openzeppelin/contracts@"5.3.0" from @openzeppelin/contracts-upgradeable@5.3.0
npm error node_modules/@openzeppelin/contracts-upgradeable
npm error dev @openzeppelin/contracts-upgradeable@"^5.0.0" from the root project
npm error
npm error Fix the upstream dependency conflict, or retry
npm error this command with --force or --legacy-peer-deps
npm error to accept an incorrect (and potentially broken) dependency resolution.
npm error
npm error
npm error For a full report see:
npm error /runner/cache/others/npm/_logs/2025-08-11T15_21_33_034Z-eresolve-report.txt
npm error A complete log of this run can be found in: /runner/cache/others/npm/_logs/2025-08-11T15_21_33_034Z-debug-0.log
Next steps: Take a moment to review the security alert
above. Review the linked package source code to understand the potential
risk. Ensure the package is not malicious before proceeding. If you're
unsure how to proceed, reach out to your security team or ask the Socket
team for help at support@socket.dev.
Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/elliptic@6.5.4. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
Next steps: Take a moment to review the security alert
above. Review the linked package source code to understand the potential
risk. Ensure the package is not malicious before proceeding. If you're
unsure how to proceed, reach out to your security team or ask the Socket
team for help at support@socket.dev.
Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/form-data@4.0.2. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
Next steps: Take a moment to review the security alert
above. Review the linked package source code to understand the potential
risk. Ensure the package is not malicious before proceeding. If you're
unsure how to proceed, reach out to your security team or ask the Socket
team for help at support@socket.dev.
Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/form-data@4.0.3. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
Next steps: Take a moment to review the security alert
above. Review the linked package source code to understand the potential
risk. Ensure the package is not malicious before proceeding. If you're
unsure how to proceed, reach out to your security team or ask the Socket
team for help at support@socket.dev.
Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/pbkdf2@3.1.2. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
Next steps: Take a moment to review the security alert
above. Review the linked package source code to understand the potential
risk. Ensure the package is not malicious before proceeding. If you're
unsure how to proceed, reach out to your security team or ask the Socket
team for help at support@socket.dev.
Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/pbkdf2@3.1.2. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
Next steps: Take a moment to review the security alert
above. Review the linked package source code to understand the potential
risk. Ensure the package is not malicious before proceeding. If you're
unsure how to proceed, reach out to your security team or ask the Socket
team for help at support@socket.dev.
Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/axios@1.8.1. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
Next steps: Take a moment to review the security alert
above. Review the linked package source code to understand the potential
risk. Ensure the package is not malicious before proceeding. If you're
unsure how to proceed, reach out to your security team or ask the Socket
team for help at support@socket.dev.
Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/base-x@3.0.10. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
Next steps: Take a moment to review the security alert
above. Review the linked package source code to understand the potential
risk. Ensure the package is not malicious before proceeding. If you're
unsure how to proceed, reach out to your security team or ask the Socket
team for help at support@socket.dev.
Suggestion: Remove or replace dependencies that include known low severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/elliptic@6.5.4. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
Next steps: Take a moment to review the security alert
above. Review the linked package source code to understand the potential
risk. Ensure the package is not malicious before proceeding. If you're
unsure how to proceed, reach out to your security team or ask the Socket
team for help at support@socket.dev.
Suggestion: Remove or replace dependencies that include known low severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/elliptic@6.5.4. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
Next steps: Take a moment to review the security alert
above. Review the linked package source code to understand the potential
risk. Ensure the package is not malicious before proceeding. If you're
unsure how to proceed, reach out to your security team or ask the Socket
team for help at support@socket.dev.
Suggestion: Remove or replace dependencies that include known low severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/elliptic@6.5.4. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
Next steps: Take a moment to review the security alert
above. Review the linked package source code to understand the potential
risk. Ensure the package is not malicious before proceeding. If you're
unsure how to proceed, reach out to your security team or ask the Socket
team for help at support@socket.dev.
Suggestion: Remove or replace dependencies that include known low severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/elliptic@6.5.4. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
Next steps: Take a moment to review the security alert
above. Review the linked package source code to understand the potential
risk. Ensure the package is not malicious before proceeding. If you're
unsure how to proceed, reach out to your security team or ask the Socket
team for help at support@socket.dev.
Suggestion: Remove or replace dependencies that include known low severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/elliptic@6.5.4. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
Next steps: Take a moment to review the security alert
above. Review the linked package source code to understand the potential
risk. Ensure the package is not malicious before proceeding. If you're
unsure how to proceed, reach out to your security team or ask the Socket
team for help at support@socket.dev.
Suggestion: Remove or replace dependencies that include known low severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/undici@5.28.5. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
renovatebot
changed the title
Update dependency @openzeppelin/contracts to v5.4.0 [SECURITY]
Update dependency @openzeppelin/contracts to v5.4.0 [SECURITY] - autoclosed
Aug 12, 2025
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for freeto subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Labels
None yet
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
renovate
bot
force-pushed
the
renovate/npm-openzeppelin-contracts-vulnerability
branch
3 times, most recently
from
This PR contains the following updates:
5.3.0->5.4.0GitHub Vulnerability Alerts
CVE-2025-54070
Impact
The
lastIndexOf(bytes,byte,uint256)function of theBytes.sollibrary may access uninitialized memory when the following two conditions hold: 1) the provided buffer length is empty (i.e.buffer.length == 0) and position is not2**256 - 1(i.e.pos != type(uint256).max).The
posargument could be used to access arbitrary data outside of the buffer bounds. This could lead to the operation running out of gas, or returning an invalid index (outside of the empty buffer). Processing this invalid result for accessing thebufferwould cause a revert under normal conditions.When triggered, the function reads memory at offset
buffer + 0x20 + pos. If memory at that location (outside thebuffer) matches the search pattern, the function would return an out of bound index instead of the expectedtype(uint256).max. This creates unexpected behavior where callers receive a valid-looking index pointing outside buffer bounds.Subsequent memory accesses that don't check bounds and use the returned index must carefully review the potential impact depending on their setup. Code relying on this function returning
type(uint256).maxfor empty buffers or using the returned index without bounds checking could exhibit undefined behavior.Patches
Upgrade to 5.4.0
Release Notes
OpenZeppelin/openzeppelin-contracts (@openzeppelin/contracts)
v5.4.0Compare Source
Breaking changes
SignatureChecker,Governorand Governor's extensions. (#5716).Pragma changes
Changes by category
Account
Account: Added a simple ERC-4337 account implementation with minimal logic to process user operations. (#5657)AccountERC7579: Extension ofAccountthat implements support for ERC-7579 modules of type executor, validator, and fallback handler. (#5657)AccountERC7579Hooked: Extension ofAccountERC7579that implements support for ERC-7579 hook modules. (#5657)EIP7702Utils: Add a library for checking if an address has an EIP-7702 delegation in place. (#5587)IERC7821,ERC7821: Interface and logic for minimal batch execution. No support for additionalopDatais included. (#5657)Governance
GovernorNoncesKeyed: Extension ofGovernorthat adds support for keyed nonces when voting by sig. (#5574)Tokens
ERC20Bridgeable: Implementation of ERC-7802 that makes an ERC-20 compatible with crosschain bridges. (#5739)Cryptography
Signers
AbstractSigner,SignerECDSA,SignerP256, andSignerRSA: Add an abstract contract and various implementations for contracts that deal with signature verification. (#5657)SignerERC7702: Implementation ofAbstractSignerfor Externally Owned Accounts (EOAs). Useful with ERC-7702. (#5657)SignerERC7913: Abstract signer that verifies signatures using the ERC-7913 workflow. (#5659)MultiSignerERC7913: Implementation ofAbstractSignerthat supports multiple ERC-7913 signers with a threshold-based signature verification system. (#5659)MultiSignerERC7913Weighted: Extension ofMultiSignerERC7913that supports assigning different weights to each signer, enabling more flexible governance schemes. (#5741)Verifiers
ERC7913P256VerifierandERC7913RSAVerifier: Ready to use ERC-7913 verifiers that implement key verification for P256 (secp256r1) and RSA keys. (#5659)Other
SignatureChecker: Add support for ERC-7913 signatures alongside existing ECDSA and ERC-1271 signature verification. (#5659)ERC7739: An abstract contract to validate signatures following the rehashing scheme fromERC7739Utils. (#5664)ERC7739Utils: Add a library that implements a defensive rehashing mechanism to prevent replayability of smart contract signatures based on the ERC-7739. (#5664)Structures
EnumerableMap: Add support forBytesToBytesMaptype. (#5658)EnumerableMap: Addkeys(uint256,uint256)that returns a subset (slice) of the keys in the map. (#5713)EnumerableSet: Add support forStringSetandBytesSettypes. (#5658)EnumerableSet: Addvalues(uint256,uint256)that returns a subset (slice) of the values in the set. (#5713)Utils
Arrays: AddunsafeAccess,unsafeMemoryAccessandunsafeSetLengthforbytes[]andstring[]. (#5568)Blockhash: Add a library that provides access to historical block hashes using EIP-2935's history storage, extending the standard 256-block limit to 8191 blocks. (#5642)Bytes: FixlastIndexOf(bytes,byte,uint256)with empty buffers and finite position to correctly returntype(uint256).maxinstead of accessing uninitialized memory sections. (#5797)Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about these updates again.
This PR was generated by Mend Renovate. View the repository job log.