Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-49798: Duplicated execution of subcalls in v4.9.4

OpenZeppelin Contracts is a library for smart contract development. A merge issue when porting the 5.0.1 patch to the 4.9 branch caused a line duplication. In the version of Multicall.sol released in @openzeppelin/[email protected] and @openzeppelin/[email protected], all subcalls are executed twice. Concretely, this exposes a user to unintentionally duplicate operations like asset transfers. The duplicated delegatecall was removed in version 4.9.5. The 4.9.4 version is marked as deprecated. Users are advised to upgrade. There are no known workarounds for this issue.

CVE
Open in Source
#vulnerability#nodejs#git

Skip to content

    • Actions

      Automate any workflow

    • Packages

      Host and manage packages

    • Security

      Find and fix vulnerabilities

    • Codespaces

      Instant dev environments

    • Copilot

      Write better code with AI

    • Code review

      Manage code changes

    • Issues

      Plan and track work

    • Discussions

      Collaborate outside of code

    • GitHub Sponsors

      Fund open source developers

*   The ReadME Project
    
    GitHub community articles
  • Pricing

Additional navigation options

Package

npm @openzeppelin/contracts (npm)

npm @openzeppelin/contracts-upgradeable (npm)

Description

Context

Merge conflict resolution issue when porting the v5.0.1 Multicall update to the v4.9 branch caused a duplicated line.

Impact

Versions using Multicall from @openzeppelin/[email protected] and @openzeppelin/[email protected] will execute each subcall twice. Concretely, this exposes a user to unintentionally duplicate operations like asset transfers.

Patches

The duplicated delegatecall was removed in 4.9.5. The 4.9.4 version is marked as deprecated.

Related news

GHSA-699g-q6qh-q4v8: OpenZeppelin Contracts and Contracts Upgradeable duplicated execution of subcalls in v4.9.4

### Context Merge conflict resolution issue when porting the v5.0.1 `Multicall` update to the v4.9 branch caused a duplicated line. ### Impact Versions using `Multicall` from `@openzeppelin/[email protected]` and `@openzeppelin/[email protected]` will execute each subcall twice. Concretely, this exposes a user to unintentionally duplicate operations like asset transfers. ### Patches The duplicated `delegatecall` was removed in 4.9.5. The 4.9.4 version is marked as deprecated.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE